CN1717697B - System and method for compressing secure e-mail for exchange with a mobile data communication device - Google Patents

Abstract

A system and method are provided for pre-processing encrypted and/or signed messages at a host system before the message is transmitted to a wireless mobile communication device. The message is received at the host system from a message sender. There is a determination as to whether any of the message receivers has a corresponding wireless mobile communication device. For each message receiver that has a corresponding wireless mobile communication device, the message is processed so as to modify the message with respect to one or more encryption and/or authentication aspects. The processed message is transmitted to a wireless mobile communication device that corresponds to the first message receiver. The system and method may include post-processing messages sent from a wireless mobile communications device to a host system. Authentication and/or encryption message processing is performed upon the message. The processed message may then be sent through the host system to one or more receivers.

Description

Compressing secure e-mail is used for the system and method with the mobile communication equipment exchange

Cross reference with related application

The right of priority of the S/N 60/297,681 of this application requirement U.S. Provisional Application submission in 12 days June calendar year 2001 and the S/N 60/365,535 that submitted on March 20th, 2002.Each of these provisional application whole comprise openly that accompanying drawing is cited and are included in this application.

Background of invention

Description of Related Art

A lot of known schemes that are used for exchange message between main system and the mobile device are arranged.Yet these systems are tending towards following simple coding method, are used for the version that origination message shortens is passed to mobile device, especially when handling checking and/or encrypting.This has limited the use of mobile device in handling this type message.

Summary

According to the instruction that provides at this, a kind of system and method is provided, be used for before message is sent to mobile radio communication device the message that pre-service is encrypted and/or signed.The place receives message from the sender of the message in main system.Judge whether any message recipient has a corresponding mobile radio communication device.For each message receiver, handle said message so that to encrypting and/or checking modification message with a respective wireless mobile communication equipment.The message that is processed is sent to the mobile radio communication device corresponding to message recipient.This system and method can comprise the aftertreatment message that sends to remote system from mobile radio communication device.Message is carried out checking and/or encrypting messages processing.Handled then message sends to one or more receivers through remote system.

Invention field

The present invention relates generally to secure electronic messages, and be particularly related to AS and method through cordless communication network exchanging safety email message between main system and mobile communication equipment (" mobile device ") of operation mobile device.

The simple description of accompanying drawing

Fig. 1 is the block scheme of general survey that expression can be used the environment of mobile device.

Fig. 2 has described the main type of the email exchange of in the internet, using usually at present.

Fig. 3 supports safety and non-safety E-mail to exchange the block scheme of primary clustering of the system of the two.

Fig. 4 is the block scheme that the encrypting messages size of expression reception reduces.

Fig. 5 is the block scheme that the signature information size of expression reception reduces.

Fig. 6 is the system block diagram that reduces the message size of signature according to the information that is stored in the mobile device place.

Fig. 7 is used for encrypting the block scheme of the security message size minimizing of the reception message of signature then.

Fig. 8 is used for signing the block scheme of the security message size minimizing of the reception message of encryption then.

Fig. 9 is the block scheme of expression encrypting messages pretreatment system.

Figure 10 is the block scheme of signature information pretreatment system.

Figure 11 is used for encrypting the pretreated block scheme of security message of the reception message of signature then.

Figure 12 is used for signing the pretreated block scheme of security message of the reception message of encryption then.

Figure 13 and 14 shows the message of signature, encryption or signature and encryption was carried out pretreated method flow diagram before they being sent to mobile device.

Figure 15 is used for the signature that aftertreatment sends from mobile device or encrypts the method flow diagram of the message of signature then.

Figure 16 is used for the encryption or the method flow diagram of the message of encryption then of signing that aftertreatment is sent from mobile device.

Figure 17 is the block scheme of Wireless Telecom Equipment that can use the demonstration of system and method described here.

Figure 18 and 19 relates to the block scheme of the Message Processing of mobile device.

Figure 20 is the block scheme of expression exemplary communication system.

Figure 21 is the block scheme of another exemplary communication system.

Figure 22 is the block scheme of another optional communication system.

Describe in detail

For access stored or the corporate user of the mobile device of data relevant with the incorporated business computer system, abundanter and safe Email experience need be supported S/MIME, the method for PGP and other safety of electronic mail in wireless environment.System and method described here allows for example message transfer method safe in utilization between corporate user and mobile device.The related u. s. of having issued 6 by April 4 calendar year 2001; 219; 694 make the be expanded into possibility of this company e-mail box to mobile device; This patent autograph " system and method from main system to the mobile data communication device propulsion information with shared electron address (System and Method for PushingInformation from a Host System to a Mobile Data Communication DeviceHaving a Shared Electronic Address " (being called " 694 patent ") at this, this patent all is contained in this with for referencial use.Through using system this as that in ' 694 patent ', describe; Can ' internet ' communication or formative Email can be sent out or push mobile device; Safety abundanter and farther arrival is provided thus, has expanded in the available technology of mobile communications industry today.In the push mail scheme formerly, can not support the safety between the different company suitably.Along with the growth of company and private user safety E-mail between the two, hope to be used for mobile device support such as the S/MIME and the PGP standard of this secure e-mail method.

As what in this application, use, term " main system " refers to locate operation or have radio communication connector system or relative one or more computing machine at radio communication connector system (being called " wireless connector " at this).In one embodiment, main system is to run on to operate in after at least one security firewall and the server computer in the protected company network environment.Main system realizes that the wireless connector system enables assembly as relevant radio communication, its software program/application program that normally makes up/assembly, so that work with at least one or a plurality of message server, said server is such as Microsoft ^TMExchange or Lotus Domino ^TMUse wireless connector system or software program to send and receive the information that the user selects toward mobile device through wireless network.Perhaps, main system can be on user's table or above-knee PC, and also operates in the company's environment that is connected to Local Area Network, or any other system that can communicate by letter with user PC.So wireless connector system or software program can be based on server or based on PC, like this, main system can be a server computer, desktop computer or laptop computer.

In case detect one or more trigger events have taken place, the wireless connector system that operates on the main system can send or the data item of mapping user selection or the part of data item the user of mobile device through wireless network to user's mobile device from main system.Sending data item in the process of user's mobile device, the special processing of the support execution that starts S/MIME or PGP encrypting messages is being arranged.For the technician in the S/MIME field, known to S/MIME algorithm application during to message, the size of original electronic mail message fiercely increases.Through message being used senior filtering, re-organized and pre-service, the user still can receive these data item on mobile device.In some cases, the control fully the processing stage that the user can having S/MIME, and can guide main system to carry out which program to message.

When having activated in main system the accessing wirelessly of company data when being used for mobile device; For example, main system takes place when detecting a trigger event; Main system to be repacking the message of reception to the mobile device transparent way, make to send to and be similar to by the classes of messages that mobile device receives to be stored in main system and in the addressable message of main system.Trigger event includes but not limited to one or more following incidents: send to main system beginning to send the order of the one or more message that are stored in main system from mobile device or another computing machine, activation of the screen protection application program on main system or the computing machine relevant with main system etc.Except the information of repacking itself, repack the information that also can provide about message, for example whether whether message by signature and certifying signature.Method of preferably repacking comprises that the message of the reception that will send through wireless network is packaged in the electronic envelope corresponding to the wireless network address of mobile device.Perhaps, another method of repacking can be used in this system, such as specific use transmission control protocol/Internet protocol (TCP/IP) packing technique.Even this repacking preferably also causes seeming autonomous system from the email message that mobile device sends they are started (for example sending by editor and from mobile device) at mobile device, so make mobile device user concerning the intended recipinent of its message, as if use and have a single e-mail address.

In optional system and method; The wireless connector system works with the webserver, and program server with from a plurality of subscriber computers of being connected to server through Local Area Network (such as on the table and notebook) detect a plurality of Event triggered on the network.Server can trigger from each desktop COMPUTER DETECTION internal event through network, and also can detect external event and trigger, such as message or the order from user's mobile device.Detect one of these triggerings in order to respond, server sends the message that receives to suitable mobile device.The message that is used for specific mobile device can be stored in addressing information and be positioned at server, is connected on the server or the memory devices relevant with server, or is stored in and is positioned at, is connected to or be relevant on the memory devices at the desktop that is connected to LAN or notebook place.Use this optional configuration, a wireless connector system can serve a plurality of users.But should arrangement also can comprise the internet or based on the system of in-house network, it can be addressable through secure web-page or other user interface.The wireless connector system also can be positioned in the system of ISP (ISP) and be addressable separately or also through the internet interface visit.

In another configuration, the wireless connector system runs on main system and the user's mobile device.Then, user's mobile device is similar to main system operation, and configuration in a similar fashion, in case the data item that the trigger event that detects the mobile device place is selected the certain user sends to main system (maybe maybe to some other destination) from mobile device.This configuration provides the two-way transmission of information between main system and the mobile device.

Fig. 1 is the block scheme of general survey that can use the environment of mobile device.It will be appreciated by those skilled in the art that to have a lot of various structure, but how help display systems shown in Figure 1 and method can be implemented.

In Fig. 1, the corporate lan 30 of shown security firewall 22 back is as the example of central authorities based on the main system (being typically called corporate lan or home court institute at this) of server.Yet this is not limited to is office of branch, family office or the home court institute that exchanges other place of email message.As stated, can to change into be desk-top or laptop computer to main system.Also show Email senders 10, it can for example be to use personnel or ASP (application service provider) user in another office of branch in ISP account's the individual, the personnel in another company, same company.

It in the corporate lan 30 message server 40; It runs on the computing machine behind the corporate firewall, serves as the main interface of company and WAN20 exchange Email, calendar data, voice mail, electronic document and other personal information management (PIM) data of internet normally.Two prevailing message servers 40 are Microsoft Exchange and Lotus Domino server product.These servers are used in combination with the internet mail router usually, and internet router typically uses based on UNIX transmission mail protocol to come route and transmit Email.These intermediate steps and computing machine will depend on through it and carry out the message-passing machine structure of email-message exchange and the particular type of network, but in Fig. 1, not illustrate, because they directly do not play a major role in the operation of described system and method.Message server 40 can expand to not only that Email sends and receive, and provides these functions to be used to resemble the dynamic data base storage engines of the data of calendar, pending event table, task list, Email and document like predefined data library format.

In this typical company's environment, the as above simple wireless connector system of describing 45 can work with message server 40.Wireless connector system 45 can reside on the computing machine identical with message server 40, but this not necessarily.Wireless connector system 45 is designed cooperation and mutual with message server 40, passes moving equipment 100 with permission information.In such installation, preferably dispose wireless connector system 45 to serve as to send to maintain secrecy and unclassified company information through corporate firewall 22 to user's mobile device 100 by wireless network, said transmission is to each user's with mobile device 100.Wireless connector system 45 preferably adopts ' based on pushing (push-based) ' technology, ' based on retracting (pull-based) ' technology or their some combination, makes it possible to expand any e-mail system that comprises message server 40.Thus, the stored message that user's mobile device 100 can the access message server.Although this system is separately to ' based on pushing ' technology, more the describing in detail of this Redirectional system can be found in above-mentioned ' 694 ' patent of quoting and following common pending trial and the U.S. Patent application of owning together, and all these relate to ' 694 ' patent: U.S. Patent application S/N 09/401; 868, S/N 09/545,963; S/N 09/528,495, and S/N 09/545; 962 and S/N 09/649,755.Each these patent whole comprise openly that accompanying drawing and claim are contained in this application thus and are cited.This push technology uses a wireless friendly coding (wireless friendly encoding), compression and encryption technology that all information are delivered to mobile device, corporate firewall 22 is expanded to effectively to comprise mobile device 100 like this.

As shown in Figure 1, there are a lot of feasible paths to be used for from company's network 30 to mobile device 100 and obtain information.A path to the possible information of obtaining of mobile device 100 to discussing in this part back is to use interface or connector 65 to pass through physical connector 50 such as serial port.This path is for example to that often carry out when the system start-up or useful when large quantities of information updating of user job cycle execution when having desk side computer system such as the mainframe computer system 35 of LAN 30 of mobile device 100.Although in Fig. 1, only show a desk side computer system 35, it will be appreciated by those skilled in the art that LAN will typically comprise much desk-top, notebook and laptop computer system.

Another kind is used for being to use with the method for mobile device 100 exchanges data the wireless method of wireless network.As shown in Figure 1, this can relate to Wireless Virtual Private Network network (VPN) router 75 (if available in network 30), or through be provided to one or more wireless networks and be connected with the traditional wan (WAN) of the radio network gateway 85 of 110 interfaces such as 105.The notion of wireless vpn routers 75 is new at wireless industry, and means that VPN connects the ad hoc wireless networks 110 that can directly pass through to wireless device 100 and sets up.The possibility of using wireless vpn routers only is recently feasible, and can use with the statically-addressed scheme.For example; Wireless network such as 110 can be based on IP wireless network; Wherein new IP version 6 (IPV6) will provide enough IP addresses, and so that an IP address is exclusively used in each mobile device 100, and this makes it possible at any time push information to mobile device 100.The main advantage of using wireless vpn routers 75 is that it can be a ready-made VPN assembly that does not need independent radio network gateway 85.VPN connects most probable and uses TCP/IP or UDP (UDP)/IP connection that message is directly delivered to mobile device 100.

If wireless VPN is unavailable, so normally the link to WAN 20 of internet is used as bindiny mechanism usually.For the technician of field of wireless, it is known transmitting the report for work path of mobile device 100 of wireless data.For the addressing and any other interface function that needs of handling mobile device 100, preferably use radio network gateway 85.Radio network gateway 85 can confirm that also most probable network is used to locate a given user and when the user roams, follows the tracks of the user between country or network.Wireless network such as 110 and 105 in, message is delivered to mobile device 100 through the RF between base station (not shown) and the mobile device 100 usually or transmits from mobile device 100.

Fig. 1 also shows an email message 15 that leaves Email senders 10 editor, is positioned on the WAN 20 somewhere.This message 15 is common language fully, and can use traditional Simple Mail Transfer protocol (SMTP), the form of RCF822 header and MIME main part definition email message.These technology are known for those skilled in the art.In this environment, message 15 arrives message server 40 and is forwarded to mobile device 100 by wireless connector system 45.When above-mentioned generation, message is encapsulated in the envelope as 80 indications again, and to origination message 15 applied compression and AES.Like this, the message of reading on the mobile device 100 with on desk side computer system 35, read the same safe.Best, all message of exchange are preferably used this message re-packetized technology between system 45 and the mobile device 100.Another target of this outside envelope (although not needing) is some addressing information at least that keeps origination message 15.This allows answer message to arrive suitable destination, and its permission " from (from) " field reflects the E-mail account's of mobile device user e-mail address on its desk side computer system 35.As if use user's desk side computer system, the information that allows from the e-mail address of mobile device 100 to receive occurs with the user's electronic mailbox account's on its desktop computer system 35 rather than mobile device 100 message.

Get back to the physical connection 50 with mobile device 100, this access path provides lot of advantages, to realize once multinomial exchanges data.Technician for PDA(Personal Digital Assistant) and data sync field; Personal information management (PIM) data exchange through such connection usually; For example serial port is connected to the support that appropriate interface or connector 65 such as mobile device can be put into or put.When exchanging for the first time, the pim data amount is tending towards relatively large, and needs big bandwidth to be used to be sent to mobile device 100.This physical connection 50 also can be used in other purposes; Comprise that from user's desktop computer system 35 to user's mobile device the 100 privately owned safe keys of transmission (being called " private key " at this) are such as the mobile device user private key that treatment S/MIME message, uses; Customer digital certificate (Cert) and any chain certificate, and CRL.For example, private key can be collected cursor position information when the machine that is connected to is calculated mouse or other input equipment of machine system 35 and produces through moving the user.Private key can install on the mobile device 100 through physical connection 50 and interface or connector 65 then.

Private key exchange allows user's desktop computer system 35 and mobile device 100 shared property at least one by one and method to be used to visit the mail of all encryptions.Private key also can be shared thus with mobile device 100 by user's desktop computer system 35, so main system 35 or mobile device 100 can be handled the security message that is addressed to user's electronic mailbox account or desktop computer system 35.Possibly need, because their representatives are used for the mass data of S/MIME, PGP and other public key safety method mobile device 100 needs through the certificate of this physical connection 50 and the transmission of CRL.Certificate often is the part of certificate chain, and certificate chain comprises that user certificate and other possible certificate are believable with the checking user certificate.When verifying by the signature on the signature information; Message recipient also will typically obtain to be used for certificate chain and each certificate that checking is signed by the next certificate in the chain at this chain of the signing certificate of message, up to find certificate by trusted source, perhaps from CA (CA) such as Verisign ^TMOr Entrust ^TMFor example in the root certificate signature of the relevant large-scale public key server (PKS) of two leading companys in public-key cryptography field.In case find this certificate, signature should be trusted, because sender and recipient's root of trust cert source.

Self certificate or certificate chain and those that should be understood that the user are used for other user's, can calculate the machine system loading to mobile device 100 from the desktop machine.If user certificate or certificate chain are on mobile device 100, it can send to the recipient together with any security message of editor on mobile device 100 so, so that the trust state that each recipient can authentication certificate.Loading other user certificate and the purpose to the mobile device 100 is to allow mobile device user to select other entity or user; They can with its exchanging safety message; And through physical connection rather than wireless will being pre-loaded onto on the mobile device 100 than big information; When receiving security message from these other users or sending to these other user security message, save time and wireless bandwidth like this.Big information generally is any electronic data with big byte size.Loading CRL also can allow mobile device to confirm the state of acceptance certificate to mobile device.

Refer again to Fig. 1, have usually to wireless network 110 and a series of connection of 105.As what it will be appreciated by those skilled in the art that, these connections can comprise for example integrated services digital network (ISDN), frame relay or use the T1 of the ICP/IP protocol that uses in the whole internet to connect.These networks can be represented different, unique and incoherent network, perhaps they can represent the identical network in country variant.Term " wireless network " means and comprises networks of different type; Include but not limited to that (1) data are the wireless network of core, (2) voice are that wireless network and (3) of core can be supported in the two dual-mode network of voice communications versus data communications on identical or the similar physical base station.These up-to-date networks include but not limited to (1) CDMA (CDMA) network; (2) grouping is special moves or global system for mobile communications (GSM) and GPRS (GPRS); Both are resembled the enhancement type data rate (EDGE) and the Universal Mobile Telecommunications System (UMTS) of global evolution by the exploitation of CEPT standard committee and (3) third generation (3G) network.GRPS is the data stack at the top of very common gsm wireless network, in fact runs on each country of Europe.Some old data is that the network of core includes but not limited to: (1) Mobitex ^TMWireless network (" Mobitex ") and (2) DataTAC ^TMWireless network (" DataTAC ").Old voice are that the example of the data network of core comprises that PCS Personal Communications System (PCS) network resembles CDMA, GSM, time division multiple access (TDMA) (TDMA) system.

Get back to Fig. 2 now, show current in the internet the main type of normally used email exchange.We at first have the normal exchange (method 1) of email message.In this situation, use RFC822, RFC821 and MIME technology to create Email, and the standard of use SMTP email exchange agreement transmit, as shown in 120.Then, receive Email and give addressed user, like 125 indications.This normal email exchange usually at the company that is positioned at security firewall 22 back or LAN such as 30, but between the user on unit user and/or the heterogeneous networks, be not safe.

Normally used in addition is that VPN connects, and is used for interoffice message (method 2), for example between the office of branch of same company, some the time work together between the very near different company.Use this method, low layer safety is called all data that IP safety (IPSec) can be used for being encrypted in two exchanges between the VPN place, as 130 the indication.When receiving the Email of an encryption at corresponding vpn system place, it is decrypted into expressly and is routed to addressed user at 135 places.

Adopted the different company or the email exchange between the user of private safety approach in Fig. 2, to be shown method 3.In this situation,,, Email is used for encrypted E-mail before sending such as the agreement of the agreement of PGP, OpenPGP or some other less use at 140 places.In case be received, at 145 places, corresponding mail agent decrypt e-mails and plaintext presented to the recipient.

The method 4,5,6 and 7 that is shown among Fig. 2 relates to S/MIME.All different distortion that these methods are S/MIME.In method 4, the sender extracts the summary of email message, and uses sender's private key signature summary, shown in 150 places.But summary for example can use sender's private key signature through the sender through message being carried out verification and, Cyclic Redundancy Check or some other preferred non-inverse operation such as hash then.By the summary of being signed probably with sender's certificate, and maybe any chain certificate and CRL be affixed in the output message together.The recipient of this signature information also extracts the summary of message, this summary and the summary that appends to message compared, and usually through extraction PKI retrieval of sender PKI from sender's certificate, and the signature of checking on the summary that adds.These operations are the signature verification parts of indicating at 155 places among Fig. 2.If message content is owing to be changed by sender's signature, then, summary will be verified the signature on different or the summary irrelevantly.This does not prevent the content that anyone sees message, but guarantees message not owing to do not distorted by sender's signature, and message is by people's signature of on " From (from) " of message field, indicating.Certificate, certificate chain and CRL are used to guarantee sender's certificate effective by the recipient, that is, certificate is not canceled, expired, and are trusty.Combination at summary that the sender locates to produce and signature on summary is commonly referred to digital signature.After this, to quoting of digital signature correspondingly should be interpreted as comprise the summary and digest.

Method 5 is represented the exchange of S/MIME encrypting messages.In the method, produce one time session key, and be used for encrypting messages main body (typically using symmetric cryptography such as triple) according to encryption standard (3DES).Then, 160, use each expectation recipient's of message public key encryption session key.Session key AES such as the Rivest ShamirAdelman (RSA) that uses public-key usually accomplishes.S/MIME message comprises that the message of encryption and all encryption versions of session key are sent to each recipient.Each recipient must search its corresponding encrypted session key usually based on the recipient's who appends to message reception outline information then, and uses the session key of the special coding of its private key deciphering, like what indicate at 165 places.In case session key is deciphered, it is used to the decrypt body.S/MIME message also can be specified the AES that must be used to decrypt.This information is placed in the head of S/MIME message usually.

The exchange of the message of encrypted then signature illustrates as method 6 in Fig. 2.According to this scheme, the sender at first produces session key one time, and the encrypting messages body uses each recipient's public key encryption session key, as stated then.Then, at 170 places, the sender cancels the summary of breath, comprises encrypted session key, and uses its private key signature summary, to produce digital signature.Each recipient cancels the summary of breath, relatively this summary and the summary that appends in the digital signature of message, and the PKI of retrieval of sender, and the signature on the checking summary, as stated.Then, find correct session key, and, allow message body to be deciphered then with the deciphering of recipient's private key.Signature verification and decrypt messages according to this method are illustrated at 175 places of Fig. 2.

Method 7 among Fig. 2 shows exchanging messages of signing and encrypt then.At 180 places, produce digital signature by the sender as stated basically.This digital signature and possible sender's certificate, certificate chain and CRL all append to output message.Then, produce session key, and be used for the encrypting messages body, digital signature and deed of appointment and CRL.Public key encryption session key with each recipient.The S/MIME message that produces comprises the encryption version of session key, is sent to the recipient.When the recipient received such message, as shown in 185, it must be at first with its its corresponding encrypted session key of private key deciphering.Use the session key decrypt body of this deciphering then, digital signature and sender of the message's deed of appointment and CRL.Then, digital signature can be verified, as stated.

Fig. 3 is a system component block scheme of supporting safety and the exchange of non-safety E-mail, is used for contrasting some general characteristic and the function of showing security message with the typical non-security message of standard such as the Email based on the internet.In Fig. 3, the network 30a of company of example and 30b are security firewall 22a and the secure networks of 22b back that is positioned at separately.Although other custom system security message that preferably is activated as the user on network 30a shown in desk side computer system 35a and the 35b and the 30b on one of network of being used for and being discussed in further detail below transmits, such custom system also can be communicated by letter with non-security system such as e-mail sender system 12 usually.

When the user on Email senders's 12 send Email message 15 to LAN 30a, message 15 be through WAN 20 (can be the most frequently used internet), and received by the message server 40a in LAN 30a.Because email message sender 12 right and wrong safety, email message 15 will normally not be sent to the message server 40 on the LAN 30a not encryptedly.

Some carries out message transmission between the user on LAN 30a and the 30b differently, because two networks can be used in safety E-mail communication.The user of the one or more user's send Emails on from LAN 30a to LAN 30b supposes that they can use its Email of S/MIME safety.The sender of email message for example uses desk side computer system 35a, preferably from a plurality of coding methods, selects a coding method, for the ease of illustrating, supposes the S/MIME that encrypts then that is signed.Desk side computer system 35a or possible message server 40a or the more possible software of on desktop system or server, carrying out are used for the digital signature of email message with generation, and are included in the digital signature that is used for the sender in the output message and possible certificate and CRL.Desk side computer system 35a or server 40a will produce session key then, encrypt whole message, be used for the duplicate of each recipient's PKI from for example taking out (or retrieval) the PKS 600, and be used for each recipient's session key.The preferably normal server relevant with CA of PKS 600 can obtain comprising the certificate of an entity of entity public key from CA.It is apparent to those skilled in the art that PKS can reside in corporate firewall 22a, on 22b or WAN 20, internet or other network (can set up with PKS communicate by letter through its sender of the message) with the recipient Anywhere.Should be apparent that also the sender of the message must always not take out or retrieval plan recipient's PKI, for example, recipient's certificate or PKI have been stored on the memory device at sender system place.

The information assembly that relates to signature 202 that in Fig. 3, has encryption as the generation message that is sent to message server 40b through WAN 20 shown in 200, it can comprise sender's certificate, certificate chain, CRL and digital signature, corresponding to encrypting messages body portion 204 and one or more encrypted session key 206 at the original electronic mail message of desktop system 35a inediting.Assembly 202 and 204 uses session key, and wherein, each recipient's PKI is used for encrypted session key, as stated.According to the particular safety message scheme between LAN 30a and 30b, security message can comprise and the different or additional assembly shown in Fig. 3, or presses the identical or similar assembly of different order.Certainly, security message 200 also will comprise at least one destination address with maybe other header information, this information must not kept not encryptedly, with the route of the message that is provided to the recipient.This additional and/or different message field is that significantly they obviously do not illustrate in the accompanying drawings to those skilled in the art.

Fig. 4 is the block scheme of the encrypting messages dimension shrinks of expression reception.Reducing message size improves through processing and the transmission of wireless network to the public key encryption message of mobile device.System shown in Figure 4 comprises the email message sender 402 who can be used in the secure e-mail message transmission; WAN 404 (under its most of situation is the internet) is as the corporate lan 406 of home court institute example, radio network gateway 408; Wireless network 410 and mobile device 412 and 414.The example home court is the LAN406 that is positioned at security firewall 403 back among Fig. 4; And comprise: message server 405; Desk side computer system 407 and operate on the message server 405 or therewith operation or as the wireless connector system 409 of the integration module of message server 405.To describe the operation of system shown in Figure 4 below through example in detail; Wherein, User A and B are edited and sent to email message at safety E-mail sender 402 places; Each user be mobile device 412 or 414 and the home court LAN of being 406 of living on the user of main desk side computer system 407, only show among them.

As shown in Figure 4, Email senders's 402 editing e-mail message, this message comprises destination address and the e-text of directed towards user A and B at least.In this example, basically as stated, email message uses a session key email message of being selected by Email senders 402.It is the PKI of user A and B that Email senders 402 uses each Email recipient then, encrypted session key.Also as above-described, PKI can be from the PKS in the network (not shown) of local storage, 402 operations of configuration e-mail sender system PKS on resident or WAN 404 or Email senders 402 other network that can communicate with retrieve resident.In this example, the position of PKS and the position of PKI are inessential.This system does not rely on any specific key Managed Solution at email message sender such as 402 places.

Security message 416 comprises the encryption version of encrypting messages 418 and all recipients' session key 420,422 sending to the recipient address on the message server 405 through WAN 404.Should be understood that those assemblies of representing directly to relate to system in the message components shown in 416.Message by email message sender such as 402 transmissions can comprise additional assembly, or can be included in the assembly shown in 416 with shown different order, does not influence the operation relevant with this aspect of system.

When maybe through the home court and one or more other computer system (not shown) of linking WAN 404 when message server 405 receives message, wireless connector system 409 detects safety and the message of encrypting.System 409 confirms that also user A has relevant mobile device 412,414 with B, and the security message of reception should send to mobile device 412,414 through wireless network.

According to this aspect, system 409 is through removing the size that (remove) each other user's mobile device 100 unwanted any encrypted session key reduce message.For example S/MIME message comprises that the recipient information tabulates, and which encrypted session key this tabulation provides about corresponding to the To in message, each recipient's in Cc or the Bcc field figure.Therefore, recipient information's tabulation can be seeked advice from by system 409, to confirm that which encrypted session key should send to each recipient.

As shown in Figure 4, system 409 detects and is addressed to the two the message 416 of reception of user A and user B, and the duplicate of the modification of message 416 is sent to each user's mobile device.The message that sends to the mobile device 412 of user A is illustrated in greater detail in 424, and comprises the message body 418 of encryption and use only encrypted session key 420 of the public key encryption of user A.The encrypted session key 422 of the user B that can not be used by user A is removed from the message that sends to mobile device 412 by system 409.Similarly; The encrypted session key 420 that is intended for use in user A is removed by system 409 from the encrypting messages that receives; And send to the message of 404 1 generations of mobile device, this message comprises encrypting messages body 418 and the encrypted session key that is used for user B, shown in 426.

Because each user receives the part of its corresponding encrypted session key as security message; Security message can be at each equipment 412; 414 obtain handling, even removed by system 409 by the out of Memory in the original security message 416 of Email senders's 402 transmissions.Encrypted session key can use each user's who resides on the mobile device private key separately on each mobile device 412,414, to obtain deciphering, and is used for the decrypt body then.As stated, private key for user for example can be sent to user's mobile device such as 407 through physical connection (not shown among Fig. 4) from the desktop computer system.After the decrypt body, the user interface on the mobile device can present unencrypted message on the display of equipment.Through reorganizing original message as stated, the encryption version that all of session key are unnecessary is removed from origination message, has reduced the size that sends to the message of mobile device through wireless network thus.For S/MIME message, because mobile device receives only the corresponding encryption version of its session key, receiving information list does not need, and can remove yet, and has further reduced message size.Because the number of the encryption version of session key increases with the number of the size that receives information list along with recipient in the origination message, the message size minimizing can be effective especially for the origination message with a large amount of recipients.

Although the exemplary systems shown in Fig. 4 comprises message server 405 and system 409 in the corporate lan 406 after the security firewall 403; This system also can be applicable to the system of other type, and for example mobile device user has directly or for example be connected to through ISP the computer system of internet.In this case, desk side computer system is realized the wireless connector system, preferably as the desk-top version with the wireless connector system that operates in the electronic message programs operation on the desk side computer system.The example of electronic message programs includes, but not limited to MS Outlook, Lotus Notes, and Eudora.These programs can be through the mail of one or more device access stored on first data storage device (not being positioned on the desktop computer calculation machine) that comprises POP.What have electronic message programs arrives user's mobile device based on desk-top wireless connector through the message that wireless network 410 sends reception, and carries out above-mentioned message size and reduce operation.

Fig. 5 is the block scheme that receives the message size minimizing of signature.Total system shown in Fig. 5 is similar to the system of Fig. 4, the system component in Fig. 5 basically with Fig. 4 in the similar assembly that marks identical, although its operation is slightly different, like what below will describe.

In order to illustrate, suppose from system's 502 send Email message to user A and the two user of B wants signature information, make user A and B can confirm that the sender is the real sender of message, and sending by the sender of being received.In order to allow message recipient to confirm that sender's signature is trusty, Email senders 502 normally adds their certificate, any other certificate in certificate chain and the current CRL of possibility.So the security message that sends from Email senders 502 can have the form shown in 516, comprises sender's certificate, certificate chain, CRL and digital signature 518 and message body 520.In S/MIME, certificate, chain, CRL and signature are placed on the beginning of message body usually, and be as shown in Figure 5.According to the message of other security message scheme can with as shown different order place message components, or comprise additional and/or different assemblies.

Security message will the common recipient that be sent to addressing through WAN 504 such as internet such as 516.In Fig. 5, message is addressed to only two recipients, and each among two recipients has the E-mail account relevant with identical message server 505, although this system is not limited thereto.Exemplary systems among Fig. 5 only is system's example, and plans only to be used for showing.

In case received by message server 505, security message just is routed to each the recipient's electronic mail account on server 505.Wireless connector system 509 detects new information, and determines whether that this message should send to any recipient's mobile device through wireless network.If like this, system 509 reorganizes message then: at first placing message body, follow by digital signature, is certificate, certificate chain and CRL then.Certificate, certificate chain and CRL are preferably stored by the system 509 of main system then.Comprise that the message of message body and digital signature at least sends to the mobile device 512 and 514 of recipient user A and B then through wireless network, as shown in 522 and 526.Digital signature 524,528 is the intercepting form of origination message, certificate, certificate chain and CRL assembly 518 effectively.Although in message 522 and 526, mark differently, signature 524 and 528 is actually the identical signature that is produced by Email senders 502.Certificate, certificate chain and CRL do not arrive mobile device 512 with the message body and the initialization of signing; 514; This can be pre-loaded onto on the memory device of said equipment based on the physical connection 515,517 that supposition certificate and CRL for example use desktop computer system 511,513.Sender's certificate and certificate chain can append to through wireless network and send to mobile device 512,514 and be stored in the previous security message on the mobile device subsequently, and this also is possible.Up-to-date CRL can exist on mobile device 512,514 similarly.In these cases, certificate, certificate chain and CRL will not be sent out even be not used them on 514 at mobile device 512.These any information but on mobile device 512,514, do not have if desired then can be from 509 requests of wireless connector system.

As stated, the user's content certifying signature at first that can see signature information.Certificate, certificate chain and CRL are only when mobile device user needs when for example user A hopes to verify from the signature 524 on Email senders 502 the message.If these parts exist, can accomplish signature verification operations so without the further communication between mobile device 512 and the LAN 506 on mobile device 512.Yet; If these certificates and CRL information is not for effective from its sender of the message who receives signature information; So on the other hand according to system; The user submits a request to for then system 509: send the remainder of origination message, sent to mobile device through wireless network 510 and be stored in deed of appointment and the CRL that home court institute (LAN 506) removes before by system 509 in message especially.Just allow signature by one-hundred-percent inspection and checking in case receive certificate and CRL at mobile device 512 places.

Relatively large (being the electronic data of big byte size) certificate and the CRL removal from the signature information that receives before being sent to mobile device can significantly reduce the size of the signature information of sending through wireless network 510; Kept wireless network resource thus, having reduced needs the transmission signature information to arrive bandwidth and the time that mobile device needs.

In another embodiment aspect this of system, user's main system 511,513 comprises the certificate synchro system that further is shown specifically among Fig. 6, and Fig. 6 is based on the block scheme that the information that is stored on the mobile device reduces the system of signature information size.In Fig. 6, owing to avoid crowding in the accompanying drawing, the system component outside the main system place of wireless connector system operation is not illustrated.For clear, the connection between message server and the mainframe computer system also is removed.Yet, be apparent that, the system shown in Fig. 6 can comprise as public those assemblies of message system be connected.

Exemplary systems among Fig. 6 comprises: message server 602, wireless connector system 604 and two desk side computer systems 606,614.Each desk side computer system comprises physical connection 608,616, connects through this, and certificate, CRL and other relatively large information of possibility can be sent to user's mobile device (not shown).According to this embodiment of system, each desk side computer system 606,614 comprises certificate (sync) system 610,618 synchronously, and it will be a software application in most of scheme.Certificate synchro system 610,618 and the physical connection on mainframe computer system 606,614 608,616 connect with data-carrier store 612,620.As it will be appreciated by those skilled in the art that, data-carrier store 612,620 can be any storage medium, for example comprises local hard drive and other memory cell.The certificate and the CRL that also are contemplated to be public information can share between the computer system in the network for example, and storer 612,620 is actual like this is the identical data-carrier store on NetWare file server for example.

Use certificate synchro system 610, when mobile device through connecting 608 when being connected to desk side computer system, user A preferably selects and transmits certificate and possible CRL (if necessary) to his or her mobile device.Yet because that CRL trends towards is bigger, so need sizable memory resource be used for storage, the user often only transmits certificate to mobile device with most probable.The certificate synchro system is configured to consulting one corresponding C RL then, guarantees that before certificate was sent to mobile device, certificate was not canceled, or optional removes the certificate of any cancellation from the list of cert that is used for downloading.In an equipment, certificate can be stored data-carrier store such as random access storage device (RAM), flash memory or data can be write other these memory assemblies on the mobile device.

As shown in Figure 6, each certificate synchro system 610,618 also can be used in wireless connector system 604 and communicates by letter.This allows the certificate synchro system to tell the wireless connector system that which certificate has installed on user's mobile device.This for example carries out through each use certificate synchro system, and any device-dependent operation is transmitted in the whole up-to-date tabulation of all certificates on the equipment or certificate adds and delete list is accomplished.Whenever when mobile device was connected to its desk side computer system, when on mobile device, detecting new authentication by the certificate synchro system, certificate update also can be sent to wireless connector system 604.To hope to receive from it special certificate of entity of the message of signature be useful although the certificate synchro system is for loading mobile device user, has this situation, and mobile device user obtains certificate from other source such as CA.In this case, also can dispose the certificate synchro system and confirm when the last certificate that uses the certificate synchro system transmits, to rise, whether deed of appointment is loaded on the mobile device, and if like this, the transfer equipment certificate update is to wireless connector system 604.

When receiving such device certificate renewal from desk side computer system 606,614, in data-carrier store 622, be updated for the user profile (profile) that the specific user keeps by wireless connector system 604.Although user profile 624; 626 can comprise these information such as address name, control configuration settings that which information sends through wireless network, mobile device identification information and further user's configuration or mobile device relevant information, wireless connector system 604 is the list of cert of store storage on user's mobile device also preferably.In example shown in Figure 6, the certificate of the mobile device of user A storage entity X on its mobile device, like what represented by [certificate X], and user B has stored the certificate of entity Y on its mobile device, [certificate Y].Only be used to illustrate at the single certificate shown in the user profile 624,626; Mobile device preferably has enough memory resources to store a plurality of certificates.

When the signature information that comprises certificate, certificate chain CRL and digital signature assembly 630 and message body 632 628 arrives message server 602, detect by wireless connector system 604 as stated.Then, rearranging origination message, so that at first place message body, is the digital signature information relevant with signature subsequently.According to this embodiment of system, wireless connector system 604 user profile that is used for the mobile device user of each addressing through consulting is confirmed each mobile device that message will be sent to relevant information of whether need signing then.Because sender's certificate, certificate X has stored the mobile device of user A into, only comprises that the message of rearranging 634 of message body 632 and digital signature 636 sends to the mobile device of user A.Although the certificate of entity Y has stored on the mobile device of user B; Sender's the certificate X that is used for origination message 628 is invalid on the mobile device of user B; Like this, comprise message body 632 and signature-related information and digital signature assembly 630 for the information of rearranging of user B mobile device.As above, wireless connector system 604 can change the storage signature-related information into and be used for being sent to the mobile device of user B at the back, and initially only sends message body and digital signature.

Certificate synchro system 610; 618 and allow wireless connector system 604 to confirm the information that specific mobile devices need to the use of the device subscription relevant information of wireless connector system 604, and remove any unnecessary information from the message that sends to mobile device.Replace the supposition mobile device possibly store a certificate as among the embodiment in front, wireless connector system 604 can determine whether that equipment stored certificate.User profile also possibly be used to specify other configuration settings, for example indicates CRL should never send to user's mobile device or only work as the relevant information that asked for an autograph only to be sent to user's mobile device.

With reference now to Fig. 7 and 8,, at first carry out information signature or the effect of encrypting with the message that produces signature and encrypt will come into question.When at first a message is signed in encryption then, can use a cover and reorganize and/or the message reduction scheme.When message was at first encrypted by signature then, other reorganized and the technology of dimension shrinks is available.As will significantly having only the home court part (message server and wireless connector system) of message system to be shown in each of Fig. 7 and 8.

Fig. 7 is used for encrypting the block scheme of the security message dimension shrinks of the reception message of signature then.Such message 706 comprises the typical case message body 710 of a session key using sender's foundation.Using the public key encryption session key of each required message recipient, is user A and B in this example, is used for each user's encrypted session key 712,714 with generation.The message body 710 and the encrypted session key 712,714 of encrypting are signed then basically as stated.Although after encrypting, carry out signature, the message components 708 that has certificate, possibility certificate chain and one or more CRL except digital signature for example can be in the beginning of security message, as in S/MIME.

This that has session key 712,714 and digital signature and a signature-related information 708 encrypt and signature information 706 by message server 702 receptions, this message of this server process and place it in the suitable mailbox that is used for user A and B.Wireless connector system 704 detects new information and begins this processing so that send a message to each recipient with mobile device.Before message sent to mobile device, the digital signature of message and certificate part 708 were preferably rearranged at least, made digital signature and signature-related information move on to the message end.Because message body 710 and the session key 712,714 encrypted are all signed, only bear the signature and signature-related information can be arranged again or from message, remove.If wireless connector system 704 is before sending a message to mobile device, processing messages 706 is to rearrange or to remove any assembly of being signed, and signature verification will be failed at mobile device.

As stated, certificate and deed of appointment chain and CRL (if being included in the message 706) can remove in wireless connector system 704, and store these parts so that the back is sent to mobile device.Wireless connector system 704 can confirm that which certificate exists on recipient's mobile device of addressing, only when on mobile device, not having, certificate can be sent out.In the example shown in Fig. 7, have only the signature component 710,712,714 of digital signature 718 and origination message 706 to be transmitted in and give user A in the message 716.This will occur in when one receive message be sent out before all signature-related information be removed, or when wireless connector system 704 detects on the mobile device that sender's certificate in origination message 706 installed to user A.Under the situation of user B; If for example wireless connector system 704 confirms that the certificate in the origination message 706 also is not loaded into the mobile device of user B; The two sends to the mobile device of user B certificate and digital signature 722 together with the signature component in message 720 710,712,714.

Therefore, when a security message is encrypted when signing then, digital signature and any signature-related information can be rescheduled to the end of message, and some or all signature-related information can be removed from message.

Fig. 8 is used for signing the block scheme of the security message size minimizing of the reception message of encryption then.In this case, the sender produces the digital signature of the message be used to edit and the section start that digital signature, certificate and possible certificate chain and CRL are appended to message.For S/MIME message, the certificate of digital signature, certificate and any chaining and CRL are affixed to the beginning of message.As stated, use the message of the whole signatures of session key then, and use each recipient's PKI each recipient's encrypted session key for addressing in message.The message that produces illustrates at 806 places, and it comprises digital signature and signature-related information 808 and message body 810, and the two uses session key, and followed is with the encryption version of the session key that is used for each recipient 812,814.

When message server 802 has received signature and the message 806 of encrypting and has put the suitable mailbox of user A and B into; Wireless connector system 804 detects these new informations, and the message recipient that determines whether any addressing has a mobile device (not shown) and whether message will send to mobile device.If like this, to prepare message so and be used to send to each mobile device, this message comprises the encryption section of primary reception message and corresponding to unique special session key of mobile device.In Fig. 8, digital signature and signature-related information 808 are encrypted, and wireless connector system 804 can not discern and rearrange thus.Therefore; Send to the message 816 of the mobile device of user A and B by wireless connector system 804; In 818 each comprise encryption digital signature and signature-related information 808 and origination message signature and encrypting messages body 810 and be used for unique each encrypted session key 812,814 of mobile device.At each mobile device, the encryption section 808,810 that decrypt deciphered and be used for to session key can is to expose original message body, digital signature and signature-related information assembly.This message can be watched then, and digital signature authentication can be carried out on each mobile device.

As stated, when the encrypted session key that needs when 804 transmissions of wireless connector system is given each mobile device, receive the information field (not shown) and also can remove, the size of the message of sending through wireless network with further minimizing from the message of encrypting.

Aforesaid system implementation example concentrates on security message and sends to and rearrange before the mobile device and reduce on the security message size.Providing diverse ways pre-service message to reduce description now must be through several additional embodiments of the data that are wirelessly transmitted to mobile device.The pretreated advantage of message is that optional technology may be used on the message of signing and encrypting, these message are the message of rearranging with difficulty reduced in size, obviously finds out as describing from the front.

Fig. 9 is a block scheme of showing the encrypting messages pretreatment system.Total system is similar to above-mentioned system, the assembly shown in Fig. 9 in fact with prior figures in the similar assembly that marks identical.As shown in 916 places, the encrypted electronic message from Email senders 902 that is addressed to user A and B comprises encrypting messages body 918 and two encrypted session key 920 and 922.Not needing as the part that it is apparent to those skilled in the art that encrypting messages 918 must be order shown in Figure 9.In this example, suppose the user desk side computer system (shown in 907 places one of) and user's mobile device 912 or 914 characteristic of effectively sharing common address, supporting by wireless connector system 909.Yet in some system, message is addressed to user's mail account and the user radio mail account on message server 905.When wireless connector system 909 is implemented, message will be addressed to the user account on the message server 905 probably.

In the preferred embodiment of system; For example use the wired or wireless connecting gear of the physical connection 50 shown in Fig. 1 and interface 65 or some other trust; Through private key is loaded into mobile device; Can between desktop computer system 907 and mobile device 912,914, share single private key.If desktop computer system 907 is configured and smart card or the similar security-enabled assembly operation of removing; Pass through its smart card is inserted the assembly of CR and operation wireless connector system 909 by the user; And/or the component software on the possible desk side computer system 907; So that private key is directly put into the storer of mobile device from CR, can carry out this private key and load.Perhaps, CR can be integrated into mobile device, uses desk side computer system or mobile device visit private key to allow the user.The private key that should share is that desktop computer system 907 provides the mirror image e-mail storage with mobile device 912 or 914 in two places.

When sending message 916 by sender 902, finally being routed to message server 905 through WAN 904 is used to handle and be forwarded to the recipient user A of addressing and the electronic mail account of B.Wireless connector system 909 detects new information and determines whether send it to any recipient's mobile device.An aspect according to this system; To be sent to each recipient of mobile device for message; Wireless connector system 909 uses the session key decrypt, and uses different keys and the possible different encrypted algorithm corresponding to the wireless friendly safety approach of between the relevant mobile device 912,914 with it of wireless connector system 909, realizing; Again encrypting messages, the message that will encrypt again then sends to recipient's mobile device.This message of encrypting again is shown in 924 and 926.

Because each version of session key is encrypted with the particular public key of specific mobile device 912,914, wireless connector system 909 must manage the decrypted session key before message body can be by deciphering and encrypted again.In an embodiment aspect this of system, wireless connector system 909 extracts correct session key 920,922 for each mobile device 912,914 that the message that receives will be sent to, and sends it to each mobile device.For example, be that wireless connector system 909 can set up the message that only contains encrypted session key 920 after mobile device user such as user A extracted correct encrypted session key.Mobile device 912 receives these message and from message extraction session key 920.Session key is deciphered then, preferably encrypts again according to above-mentioned wireless friendly safety approach, and sends back to wireless connector system 909.Wireless connector system 909 deciphers this encrypted session key again then, and uses the message body of the session key representative of consumer A enabling decryption of encrypted of deciphering.Then, the message body of deciphering can be encrypted according to wireless friendly safety approach again, and sends to mobile device 912.Then, user A deciphered and be shown to this message of encrypting again can at mobile device 912.Between each mobile device that wireless connector system 909 and the encrypting messages that receives will send to, will carry out similar process.

This decrypt messages of wireless connector system 909 has reduced the amount of the complicated PKI decryption oprerations that must on mobile device, carry out.In addition, under the situation of very big email message, this part that allows 909 of wireless connector systems to send message arrives each mobile device.Although above-mentioned session key and message can repeat for each user; In case session key is by a mobile device deciphering and turn back to wireless connector system 909, the message body of deciphering can be used for each mobile device that message will be sent to again then.This can be reduced at the operation at wireless connector system 909 places; Because the message body of encrypting only by deciphering once; Even when message is sent to a plurality of mobile device; And cause the message fast of some mobile device is transmitted, because need only receive from a mobile device rather than from each mobile device that message will be sent to by wireless connector system 909 with the response of encrypted session key again.

In some system, wherein desk side computer system is shared a public private key such as 907 with mobile device, and private key is addressable for message server 905 with wireless connector system 909.Although according to the development of private key techniques, this possibly be a kind of impossible situation, and this method has minimizing in the deciphering of encrypting messages and the number of steps in the transport process, and has removed the advantage of the needs of the session key of deciphering through wireless transmission.As among the embodiment in front, reduced the number of the public key operation that mobile device must carry out by the decrypt messages of wireless connector system 909.

According to this embodiment of this system, wireless connector system 909 can visit the recipient's of any addressing that is provided with radio communication service private key.Replace as formerly directly sending encrypted session key to mobile device among the embodiment, the wireless connector system uses the private key shared with equipment, with the decrypted session key.Then, use the message body of this session key enabling decryption of encrypted.For example for user A, wireless connector system 909 will extract encrypted session key 920 from message 916, use the private key decrypted session key of user A, and the message body 918 of using this session key enabling decryption of encrypted.Basically as stated, in case message body is deciphered, it is used wireless friendly encryption method and encrypts again, and sends to suitable mobile device.Mobile device decrypt then, and it is presented to the user with primitive form.This process provides the fastest message passing time with minimum public key operation on mobile device, this enhancing and power that trends towards functional processor strengthens.

It is apparent that, carry out the deciphering of encrypting messages and encrypt again the concern of ordinary representation to safety by wireless connector system 909.Yet, in system shown in Figure 9, deciphers and be encrypted in again security firewall and be performed afterwards, and therefore, decryption information keeps the security like any other information in corporate lan 906.When at wireless connector system 909 and mobile device 912; When using the strong encryption scheme such as 3DES between 914, the information of any previous deciphering comprises the message or the session key of deciphering, at wireless connector system 909 and mobile device 912; When transmitting between 914, keep safety.

Figure 10 is the block scheme of signature information pretreatment system.System class in Figure 10 is similar to the system among Fig. 9, and the similar assembly that marks is actually similarly among Fig. 9 and 10, although the message of system's pre-service signature of Figure 10.In Figure 10, on behalf of mobile device user, digital signature authentication carry out in user's main system place (LAN 1006), so saved the transmission of digital signature and typical bigger signature related data.

Message 1016 by email message sender 1002 signatures will comprise digital signature part 1018 and message body part 1020, as stated.When signature information 1016 was received by message server 1005 and is forwarded to suitable mailbox, wireless connector system 1009 detected new information, and determines whether that it should send to one or more mobile devices.In the example in Figure 10, message should be sent to two mobile devices 1012 and 1014.

Wireless connector system 1009 detects the message of having signed then, and manages to find out sender's PKI.This PKI can from local storage maybe maybe be from the WAN 1004 somewhere PKS 1028 be retrieved.In case retrieve sender's PKI, represent each mobile device user certifying digital signature by wireless connector system 1009.Each mobile device 1012,1014 is prepared and be forwarded to message then, and this message preferably includes and indicates whether certifying digital signature.As shown in 1024,1025 and 1026,1027, original message body 1020 was again added envelope for safety with the signature indication and possibly encrypted before sending to mobile device 1012 and 1014.Although unnecessary the maintaining secrecy of signature indication, its encryption prevent unauthorized parties and insert wrong signature indication or change the signature indication.At each equipment, outside envelope is removed, and message was deciphered before being presented to the user with the indication of signing if desired.

Figure 11 is used for encrypting the pretreated block scheme of security message of the reception message of signature then.Crowded in the figure only shows message server 1102 and wireless connector system 104.It is apparent to those skilled in the art that these assemblies can be such as formerly realizing in the system shown in the accompanying drawing.

Encrypted the security message 1106 of signing then and can comprise these component parts such as digital signature and signature-related information part 1108, encrypted and the message body 1110 of signature and the session key 1112 and 1114 of encrypting and signing.Describe in detail above the generation of these information.When such information receives at message server 1102 places and distributes when giving the suitable letter box of user A and B; Wireless connector system 1104 detects new informations, and confirms that in this example message will be sent to each the mobile device among user A and the B.Because by signature and encryption, the pre-service of message comprises the several steps of contact Fig. 9 and 10 aforesaid each pretreating scheme to message.

The at first encrypted then signature of message 1106, like this, wireless connector system 1104 preferably uses at first certifying signature of sender's PKI.This key can be from local storage or for example through the PKS retrieval.No matter whether sender's digital signature verified that pre-service can be carried out to obtain to be used for the session key of encrypting messages.As stated, this can be by wireless connector system 1104 through sending to the respective version of a session key of mobile device, if or the private key of equipment be addressable for wireless connector system 1104, through visit private key and decrypted session key, accomplish.In case session key is through connector system 1104 deciphering or turn back to wireless connector system 1104, message can be deciphered.Message of deciphering then and the signature indication that preferably message is signed and whether digital signature has been verified use wireless friendly AES to be encrypted and send to each mobile device that message will be sent to again.Like what indicate at 1116 and 1122 places, the message that sends to the mobile device of user A and B comprises message body 1118,1124 and signature indication 1120,1126, and the two is preferably encrypted.Then each mobile device can decrypt 1116,1122 and with message with signature indication present to mobile device user.

Figure 12 is the block scheme that is similar to Figure 11, is used for signing the security message pre-service of the reception message of encryption then but show.As in Figure 11, have only message server 1202 and wireless connector system 1204 to be shown among Figure 12 to avoid crowded.However, it should be understood that the arrangement in Figure 12 will be implemented as the part that can carry out electronic message exchange, example big system as shown in Figure 11 usually.

As stated; And typically comprise digital signature and signature-related information assembly 1208 and message body part 1210 in the message that the signature shown in 1206 is encrypted then; The two encryption version of session key 1212,1214 that uses a session key by the sender and be used for message 1206 recipients (this example user A and B) of each addressing is encrypted.When message 1206 was received by message server 1202 and distributes to suitable letter box, wireless connector system 1206 detects new information and detect-message will send to which mobile device (if any).

Because message 1206 is at first signature encryption then, wireless connector system 1204 must can carry out before at first decrypt in any further pre-service.For this reason, wireless connector system 1204 obtains session key, and it is used for deciphering or can accomplishing through calling party private key and decrypted session key to mobile device through sending corresponding each encrypted session key as stated.In case session key has turned back to wireless connector system 1204 or by wireless connector system 1204 deciphering, message 1206 can be extracted by deciphering and digital signature and signature-related information.As stated, then can the check digit signature through the PKI of retrieval of sender.Produce the signature indication then and append to message body.Preferably use wireless friendly encryption method encrypting messages and indication then and be sent to each mobile device that message will send to.As shown in 1216 and 1222, to the message of mobile device comprise message body 1218,1224 and message by signature with whether the indication 1220,1226 of certifying digital signature.At mobile device, the message of transmission is deciphered with retrieval origination message and signature indication.

Figure 13 and 14 shows and is used for before the message that will sign, encrypt or sign and encrypt sends to mobile device, carrying out pretreated method flow diagram.In these accompanying drawings, suppose that message has been received and has put into message repository location and the wireless connector system has detected new information.Should be apparent that the method shown in Figure 13 and 14 is applied to determined those message that should handle of wireless connector system, promptly will send to the message of one or more mobile devices.

Forward Figure 13 now to, this method starts from step 1300, when the message that will send to mobile device when the sender of the message arrives.In step 1305, whether wireless connector system test message is expressly then.This check is for example carried out through the mime type of check message and/or the annex that searching has certain format and mime type.If message is that expressly then it is routed to each mobile device.If message is not expressly,, carry out check to confirm that message is whether by signature but do not encrypt (promptly only signature) or sign at last then in step 1315.If message is not only to sign or signature at last, this will mean message maybe be encrypted but not signature (only encrypting) or earlier signature encrypt with last, and encrypt and must at first be processed.In step 1320, carry out determining whether that message is only encrypted or encryption at last.Do not have an encryption or last the encryption if confirm message, message possibly be the message that does not have detected clear-text message or only sign or sign at last in step 1305 or 1315 so, or message has the form that the wireless connector system can not handle.In these situation any, mistake possibly occur, as in 1325 indications.As it will be appreciated by those skilled in the art that, fault processing will depend on the system that realizes this method.If message is only encrypted or encryption at last, method proceeds to the processing encrypted in step 1330, and it is shown specifically in Figure 14 and describes below.

If message is only signature or signature at last,, so as stated, produce the summary of message in step 1340 like what in step 1315, confirm.Detect the digital signature that appends to message 1345 then.In order to continue digital signature authentication, step 1350 from local storage, maybe maybe be from PKS or similar system from the certificate retrieval sender PKI appending to signer information (SignerInfo) part that origination message for example is included in message.In step 1355, use sender's PKI, be extracted in the summary in the digital signature to be detected and verify the signature on the summary.

Then, at step 1360 relatively make a summary A and B, to determine whether their couplings.Whether the signature of also confirming summary is verified.If one in these two kinds of situation is not satisfied, signature is not verified so, and in step 1365, indication such as " failure " signature will be affixed to message.If two conditions all satisfy, signature obtains suitable checking so, and " verifies " or the indication of similar signature is added to message in step 1370.

In step 1375, confirm it is whether breath is still encrypted.If still encrypted, for the encrypted message of signature then, this method continues in step 1380, and is shown in figure 14 with the data of processing encrypted, and below describe in further detail.If it is encrypted that message does not still have, it is encrypted to determine whether it to test in step 1385 so.For the last message of encrypting of at first signing, decrypt messages was done before signature verification.If it is encrypted, make up a message and send to mobile device in step 1395 so, this message comprises suitable signature indication, original encrypted encryption indication or mark and the message body of Indication message.Otherwise the message that sends to mobile device in step 1390 comprises signature indication and message body.Perhaps; If mobile device user need not know that whether message is by original encryption; It will be the configuration settings that is stored in by in the addressable user profile of wireless connector system, and step 1375 can be directly to step 1390 and not encrypt indication and be sent out.

Although in Figure 13, do not illustrate, coding, compression and encipherment scheme above-mentioned before the pre-service security message sends to mobile device can be adopted as the part of step 1390 and 1395 by the wireless connector system.

Forward Figure 14 now to, show the relevant method step of processing with the encryption section of message.Encryption can be in message (step 1330) or (step 1380) beginning when the message of signing then for an encryption has been accomplished signature verification operations during by last encryption or encipher only.

In step 1410, through for example using recipient information (RecipientInfo) field of the message that receives, the first step in the processing encrypted data is used for the location encrypted session key of specific mobile device user.Step 1415 below, wireless connector system produce and send to mobile device the message that comprises encrypted session key as stated.This message can have for the user provides these information about message such as size, date and the promoter of message, has the text of the encrypted indication of message.When receiving this message,,, confirm whether the private key that can be used to the decrypted session key exists on equipment for example through the security message software application on mobile device in step 1425 at the mobile device place.If this equipment does not have correct private key or the user does not want to decipher this message, can not on mobile device, watch message by the user so.Otherwise,, for example, can give the selection (step 1435) of user's decrypted session key through the menu in the information list of mobile device as optional step 1435.Then, in step 1440, the session key of deciphering is passed back the wireless connector system and origination message is deciphered.

In case accomplish deciphering, carry out test in step 1445, to determine whether with certifying digital signature.If this method is carried out to handle digital signature as stated with reference to Figure 13 in step 1450.If there is not digital signature to be verified, carry out further test in step 1455 so, to determine whether to handle digital signature.If handled digital signature, promptly when in step 1380 beginning encryption, in step 1460, the message with signature indication and deciphering of the aforesaid encryption indication of possibility is sent to mobile device.Otherwise, if message do not signed, so as shown in the step 1465, the message of deciphering with maybe one encrypt indication and send to mobile device.

Process flow diagram shown in Figure 13 and 14 is intended for use to illustrate purpose, and does not limit the scope of this system.The step of in process flow diagram, summarizing can be different order carry out, some step can with other step combination, or omit, and can carry out further step and operation.For example, the order for the digital signature authentication executable operations can be different from shown in Figure 13.In some system, can before producing summary A, detect digital signature, or can recover the B that makes a summary before producing summary A.Perhaps, if digital signature do not verified, can stop the message pre-service in step 1360.Other distortion of method in Figure 13 and 14 will be significantly for a person skilled in the art, and be considered to thus in the above-mentioned and scope of the present invention declared of claim wherein.

Figure 15 is used for the signature that pre-service sends from mobile device or encrypts the method flow diagram of signature information then.Be similar to above-mentioned message pre-service embodiment, can be configured the message that makes that the main system pre-service is sent from mobile device with the mobile device of wireless connector system operation and main system.

In Figure 15, this method start from step 1500 when the user on mobile device during edit messages.When mobile device is activated when being used for secure communication, in step 1505, the user can select the additional messages security feature, is included in the example of Figure 15 " signature at last ", promptly encrypts signature then, or " only signature " message safety.The message safety of the type is for example through using S/MIME or some other all possible security message scheme to be provided.

Carry out test in step 1510 then, whether be chosen in signature encrypting messages before to confirm the user.When encrypting messages before signature, produce session key in step 1515, use session key message in step 1520, use each plan recipient's public key encryption session key then in step 1525.These PKIs preferably are stored in the storer on the mobile device, but can change into from external source such as system request such as PKS if desired.

Encrypted or message does not have encryptedly when message, and this method continues in step 1530, and in step 1530, if the encryption version of message and the encrypted session key of message is passed to abstract function, uses private key for user to produce digital signature.Replace the attaching signature relevant information to be used for through being wirelessly transmitted to the wireless connector system at main system place to the message on the mobile device such as sender's certificate, certificate chain and any CRL; Mobile device preferably includes in sending to the message of main system and is indicated by the signature-related information of wireless connector system handles, will be how about after being affixed to message to confirm any signature-related information.This allows mobile device to send signature-related information through main system, avoids simultaneously transmitting bigger signature-related information through wireless communication link.Therefore, in step 1535, mobile device sends origination message (now maybe be encrypted), digital signature and signature-related information indication to main system, and if the encrypted one or more encrypted session key of message.All these information can use wireless friendly method to be encoded, to compress and encrypt before being sent to main system.

In the aftertreatment of step 1540 beginning in such message of main system.Wireless connector system in the main system operation indicates from the message extraction signature-related information, and confirms that what signature-related information should be included in the message.In step 1545, the suitable signature relevant information of sign for example comprises sender's certificate and possible chaining certificate and CRL in the signature-related information indication that is extracted, and is affixed to message.Then, in step 1550, message, digital signature and additional signature-related information send to all recipients from main system.

When mobile device user editor one message; And select only message encryption or signature encryption then; Can visit the session key that is used for encrypting messages if operate in the wireless connector system of main system, the aftertreatment of the encrypting messages of generation can be performed in main system.Otherwise main system can not be deciphered such message, therefore can not carry out the post-processing operation to message.In this case; The message of on mobile device, editing is together with the additional digital signature and the certificate and the CRL of any needs; To use session key encrypted on mobile device; And the message of encrypting and the encryption version of session key will send to main system being delivered to the recipient of addressing from mobile device, or directly send to the recipient of addressing.Any required certificate and CRL must append on the message on the mobile device, and the encryption of whole message and session key must be processed on equipment.

Yet; If session key can be sent to main system; Then some encryption and other security message of possibility are handled and operated and can be handled by main system, and be shown in figure 16, and this is to be used for aftertreatment from the encryption of mobile device transmission or the process flow diagram of the method for the message of encryption then of signing.For example, replace to use the recipient's of each addressing public key encryption session key, session key can be enough and the relevant public key encryption of the residing mobile device user desk side computer system of main system or main system field.Suppose that the wireless connector system can visit main system or user's respective private keys, session key can be deciphered in main system then.Similarly, be used for mobile device and operate in the communication between the wireless connector system at main system place if realize wireless friendly safety approach, session key can be encrypted according to this scheme by mobile device so, is deciphered by main system then.This allows main system rather than mobile device potentially, and execution must be by several operations of mobile device execution.

In detail with reference to Figure 16, in step 1600, the user is edit messages on mobile device now, and encryption after step 1605 is selected only encryption or signature information safety (encrypting at last).In step 1610, confirm whether the user selects to have the message that signature is encrypted then.If, produce summary and digital signature in step 1615 so, in step 1620, signature-related information such as user certificate, certificate chain and any described CRL append to message.When signature is accomplished, if or message will be encrypted and do not signed earlier, this method is carried out in step 1625, and the equipment generation will be used in the session key in the encrypting messages.If message is signed, use session key message together with additional digital signature and signature-related information in step 1630 then.Then, in step 1635, use the relevant PKI of private key with the wireless connector system that can be used for operating in the main system place; Wireless friendly safety method; Or maybe the two, and encrypted session key, and the message and the encrypted session key of encrypting are sent to main system.Because wireless friendly safety approach exists, clearly, the message of encryption can be that two the encryption is sent to main system.Coding, compression and message add envelope technology and also can be applicable to message and session key so that be sent to main system.

When receiving message and encrypted session key, can be applicable to any coding, compression that the data between mobile device and the main system transmit, encrypt and add envelope by the wireless connector system inversion in main system.For example use public-key for session key and further to encrypt, use corresponding private key deciphering in step 1640 by the wireless connector system so by equipment.Then in step 1645; The wireless connector system uses the session key of deciphering; Utilize the recipient's of each addressing PKI encrypted session key again; And, before forwarding message is with the recipient who is delivered to addressing, encrypted session key is appended to message like what in step 1650, indicate.The encryption that is used for each recipient's session key thus is unloaded to main system from mobile device.

Although in Figure 16, do not illustrate, can expand this method and be provided at the more aftertreatment of main system encrypting messages.Because the wireless connector system of main system has session key, message self can be deciphered.Therefore, before deciphering, equipment does not need necessary attaching signature relevant information (its certificate, certificate chain or any CRL) on message.Replaceablely do, it is described as above to get in touch Figure 15, and the signature-related information indication can append to message.The wireless connector system uses session key, can decipher this message, handles the additional then any required signature-related information of signature-related information indication.In case this information is by additional, the wireless connector system uses session key encrypting messages again so, and is recipient's encrypted session key of each addressing.According to this method, typical high capacity signature-related information is added message to by main system, with the encryption of this information of avoiding being undertaken by equipment and the wireless transmission of information.

If strong wireless friendly safety approach between mobile device and main system, message and session key so, and digital signature and the indication of any signature-related information are can be according to this safety approach encrypted and send to main system.Then, main system can append to the required signature-related information of sign in the signature-related information indication on the message, uses session key message, digital signature and signature-related information, is recipient's encrypted session key of addressing then.In this situation, session key can be produced by main system rather than mobile device, has further reduced the data volume of sending from mobile device.Mobile device only need use wireless friendly safety approach then, through this technology such as S/MIME and PGP startup secure communication.The message aftertreatment is handled operation with bulk data and is moved on to more powerful main system from mobile device.

Can also visit the signature key of mobile device user for main system, aftertreatment notion even can further expand to the signature that comprises security message.Then mobile device can to main system transmit a message, indication that this message should be signed, signature-related information if any, indication that message should be encrypted and or session key or main system should select the indication of session key.On behalf of mobile device, main system can handle the operation of all encryptions and signature then.Though the data volume that must transmit from mobile device that these technology have reduced that security message needs and based on the complicacy of the processing operation of equipment; But use session key to produce, supposed the private key that safe transmission or main system between mobile device and the main system can calling party in the encryption of main system and at the signature of main system.

Forward Figure 17 now to, show the block scheme of the example Wireless Telecom Equipment of the method that can be used in this system and wherein describe.Mobile communication equipment 100 preferably has the bi-directional communication device of voice and/or its communication ability.Equipment preferably have with the internet on other computer system ability of communicating by letter.According to the function that equipment provides, this equipment preferably is called data communications equipment, bidirection pager, the cell phone with its communication ability, wireless Internet apparatus or data communications equipment (having or do not have telephone capability).As above mention, these equipment completely abbreviate mobile device as at this.

Dual mode device 100 comprises transceiver 1711, microprocessor 1738, display 1722; Flash memory 1724, RAM 1726, auxiliary I/O (I/O) equipment 1728; Serial port 1730, keyboard 1732, loudspeaker 1734; Microphone 1736, short range wireless communication sub-system 1740, and can comprise miscellaneous equipment subsystem 1742.Transceiver 1711 preferably includes and sends and receiving antenna 1716,1718 receiver (Rx) 1712, transmitter (Tx) 1714, one or more local oscillators (LO) 1713, and digital signal processor (DSP) 1720.In flash memory 1724; Equipment 100 preferably includes can be by a plurality of software module 1724A-1724N of microprocessor 1738 (and/or DSP 1720) execution; Comprise: voice communications module 1724A; Data communication module 1724B and be used to carry out a plurality of other operational modules of a plurality of other functions.

Mobile device 100 preferably has the bi-directional communication device of voice communications versus data communications ability.Like this, for example, equipment can pass through speech network such as any analog or digital cellular network communication, and can also pass through data network communications.Voice and data network is described by communication tower 1719 in Figure 17.These voice and data networks can be to use the communication network of the separation of infrastructure such as base station, network controller of separation etc., or they can be integrated into a single wireless network.Therefore, should be interpreted as quoting of network 1719 and comprise individual voice and data network or the network that separates.

Communication subsystem 1711 is used for communicating by letter with network 1719.DSP 1720 is used for sending signals and from receiver 1712 receiving communication signals to transmitter 1714, and can also with transmitter 1714 and receiver 1712 exchange of control information.If voice communications versus data communications occurs on the single frequency, or on the nearly spacing frequency group, so single LO 1713 can use with transmitter 1714 and receiver 1712.Perhaps, if different frequency is used for voice and data communication, so a plurality of LO 1713 can be used in a plurality of frequencies of generation corresponding to network 1719.Although two antennas 1716,1718 have been shown in Figure 17, mobile device 100 can use the individual antenna structure.The information that comprises the voice-and-data both information is communicated by letter with communication module 1711 through the link between DSP 1720 and the microprocessor 1738.

The detailed design of communication subsystem 1711, such as frequency band, component is selected, and power levels etc. will depend on the communication network of equipment 100 with operation.For example; The equipment 100 of planning to run on North America market can comprise design and operation in Mobitex or DataTAC mobile data communication network and be designed any one communication subsystem 1711 that runs on various communication networks such as AMPS, TDMA, CDMA, PCS etc., and the equipment 100 that wherein is intended for use Europe can be configured to and operate in GPRS data communication network and GSM voice communication network.The data and voice network of other type, separation with integrated, also can be used for mobile device 100.

According to the type of network 1719, also can change the requirements for access of double mode mobile device 100.For example, in Mobitex and DataTAC data network, register on mobile device use and each device-dependent unique identifying number network.Yet in the GPRS data network, access to netwoks is relevant with the subscriber or the user of equipment 100.GPRS equipment typical case needs subscriber identity module (" SIM "), needs this module so that equipment 100 operates on the GPRS network.Do not have SIM, local or non-network communicating function (if having) can be exercisable, but equipment 100 can not be carried out any function that relates to communication on network 1719.Except any operation that requires legally, outside ' 911 ' urgent call.

After accomplishing any required network registry or activating processing, dual mode device 100 can preferably include the voice-and-data binary signal through network 1719 transmissions and receiving communication signal.Be routed to receiver 1712 by antenna 1716 from the signal that communication network 1719 receives, it provides conversion under signal amplification, the frequency, filtering, channel selection etc., and the analog digital conversion can be provided.The analog digital conversion that receives signal allows more complicated communication function such as using DSP 1720 with digital demodulation and the decoding carried out.In a similar manner; Processing will be sent to the signal of network 1719; For example comprise modulation and the coding carried out by DSP 1720, offer transmitter 1714 then and be used for conversion on digital-to-analogue conversion, the frequency, filtering, amplification and be sent to communication network 1719 through antenna 1718.Be used for voice communications versus data communications although single transceiver 1711 has been shown in Figure 17, equipment 100 can comprise two different transceivers, and first transceiver is used for transmitting and received speech signal, and second transceiver is used for transmitting and receiving data-signal.

Except process communication signals, DSP 1720 also provides receiver and transmitter control.For example, the gain level that is applied to the signal of communication in receiver 1712 and the transmitter 1714 can obtain adaptive control through the automatic gaining controling algorithm of in DSP 1720, realizing.Other transceiver control algolithm also can realize in DSP 1720 so that the more complicated control of transceiver 1711 is provided.

The whole operation of double mode mobile device 100 is preferably managed and controlled to microprocessor 1738.Can use the microprocessor or the microcontroller of a lot of types at this, perhaps, alternatively, single DSP1720 can be used in the function of carrying out microprocessor 1738.Comprise that the low-level communication function of data and voice communication is carried out through the DSP in transceiver 1,711 1720 at least.Other high level communication application such as voice communications applications 1724A and data communication applications 1724B can be stored in and be used in the flash memory 1724 being carried out by microprocessor 1738.For example, voice communications module 1724A can provide high-rise user interface, and this high level user interface can be operated to transmit and to receive the audio call between double mode Move Mode 100 and a plurality of other speech ciphering equipment through network 1719.Similarly; Data communication module 1724B can provide a high-rise user interface, and this interface can be operated and be used for transmitting and receive data such as email message, file, organizer's information, short-text message etc. between double mode mobile device 100 and a plurality of other data equipment through network 1719.On equipment 100, the security message software application can be operated with data communication module 1724B, so that realize above-mentioned security message technology.

Microprocessor 1738 is also mutual with the miscellaneous equipment subsystem, these subsystems such as display 1722, flash memory 1724; Random access storage device (RAM) 1726, auxiliary I/O (I/O) subsystem 1728, serial port 1730; Keyboard 1732, loudspeaker 1734, microphone 1736; Short-range communication subsystem 1740 and generally be expressed as any other communication subsystem of 1724.For example, module 1724A-N is carried out by microprocessor 1738, and the high-level interface between mobile device user and the mobile device can be provided.This interface typically comprises the graphic assembly that provides through display 1722 and passes through auxiliary I/O 1728, keyboard 1732, the I/O assembly that loudspeaker 1734 or microphone 1736 provide.

Some subsystem executive communication correlation function shown in Figure 17, wherein other subsystem can provide " resident " or on-device functions.Especially; Some subsystem such as keyboard 1732 can be used for communication-related functions and device-resident functions with display 1722; Said communication-related functions such as input of text messages is used for transmitting through data communication network, and device-resident functions such as counter or task list or other PDA type of functionality.

The operating system software that is used by microprocessor 1738 preferably is stored in permanent storage such as flash memory 1724.Except operating system and communication module 1724A-N, flash memory 1724 also can comprise the file system that is used to store data.Preferably also in flash memory 1724, storage area is provided, transmits needed out of Memory with storage of public keys, private key and security message.Operating system, specific device applications or module or its parts can be loaded into volatile storage such as RAM 1726 temporarily and be used for quick operation.In addition, the signal of communication of reception also can store RAM 1726 into temporarily before they are forever write the file system that is arranged in permanent storage 1724.

Can be loaded into the personal information manager (PIM) that example application module 1724N on the dual mode device 100 provides PDA function such as calendar event, appointment and task items uses.This module 1724N also can be mutual with the voice communications module 1724A that is used for management of telephone call, voice mail etc., and can be with to be used for the communicate by letter data communication module 1724B that transmits with other data of managing email mutual.Perhaps, all functions of voice communications module 1724A and data communication module 1724B can be integrated be advanced the PIM module.

Flash memory 1724 preferably provides file system with the conveniently storage of pim data item on equipment.PIM use preferably include through wireless network 1719 or through self or with voice communications versus data communications module 1724A, the ability that 1724B transmits and receive data together.The pim data item preferably through wireless network 1719 be stored in mainframe computer system or with mainframe computer system a relevant corresponding data item organize seamless integratedly, synchronously and upgrade, set up the mirror-image system of the data item relevant thus with the specific user.

Mobile device 100 is also through artificial synchronous with main system in the interface shelf that equipment 100 is placed on the serial port that connects mobile device 100 and the serial port of main system.Serial port 1730 can also be used to make the user to set preference through external unit or software application, downloads that other application module 1724N is used for installing and will loading certificate, key and out of Memory download to equipment as stated.This wired download path also can be used for encryption key is loaded on the equipment, and this is than passing through the safer method of wireless network 1719 exchange security information.

Additional application modules 1724N can be through network 1719, through auxiliary I/O subsystem 1728, through serial port 1730, be loaded into dual mode device 100 through short-range communication subsystem 1740 or any other suitable subsystem 1742, and by user installation at flash memory 1724 or RAM1726.The dirigibility of this application installation aspect has increased the function of equipment 100, and on-device functions, communication-related functions or the two of enhancing can be provided.For example, secure communication applications can be so that e-business capability can use equipment 100 to carry out with other this financial transaction.

When dual mode device 100 operates in the data communication mode; Microprocessor 1738 handled and be provided to signal such as text message that receives or page download will by transceiver 1711; It will preferably further be handled the signal that receives and be used to output to display 1722 perhaps, output to utility appliance 1728 alternatively.Dual mode device 100 can also use keyboard 1732 compose data items such as email message, and keyboard is the complete alphanumeric keyboard layout of QWERTY style preferably, although the complete alphanumeric keyboard that also can use other style is such as the DVORAK style.Utilize a plurality of auxiliary I/O equipment 1728 further to strengthen the user's input to equipment 100, it can comprise thumb wheel input equipment, touchpad, various switch, rocking bar input switch etc.Compose data items by user's input can transmit through communication network 1719 through transceiver 1711 then.The security message that receives and will transmit from mobile device 100 by mobile device 100 according to above-mentioned technology by data communication module 1724B or associated safety messaging software application program processes.

When dual mode device 100 operated in the voice communication mode, in fact the whole operation of equipment 100 was similar to data pattern, except the signal that receives preferably outputs to microphone 1734 produces by microphone 1736 with the voice signal that is used to transmit.In addition, above-mentioned security message tranmission techniques can not must be applied to voice communication.Optional voice or audio frequency I/O subsystem such as speech message recording subsystem also can be realized on equipment 100.Although voice or audio signal output realize through loudspeaker 1734 mainly that preferably display 1722 also can be used to provide the indication of calling party identity, lasting or other voice call related of audio call.For example, microprocessor 1738 can detect the caller-identification information of importing audio call with voice communications module 1724A and operating system software, and it is presented on the display 1722.

Short-range communication subsystem 1740 also can be included in the dual mode device 100.For example, subsystem 1740 can comprise infrared equipment and interlock circuit and assembly, or short-range wireless communication module, such as respectively according to " bluetooth " module or 802.11 modules of bluetooth or 802.11 standards, to provide and the communicating by letter of similar system that enables and equipment.Those skilled in the art are apparent that " bluetooth " and 802.11 respectively set of specifications that can obtain from Institute of Electrical and Electric Engineers (IEEE) of references and WLAN and wireless personal domain network.

Described the preferred embodiment of system in detail, comprised the method for optimizing of operation, should understand this operation can enough different unit and step execution.The preferred embodiment only illustrates with example, does not plan to limit scope of the present invention.For example, Figure 18 and 19 shows the pre-service and the aftertreatment of the message that relates to mobile radio communication device.

Figure 18 has described a pretreated example, and wherein main system 1806 receives the message 1804 that is addressed to one or more message recipients from the sender of the message.Wireless connector system 1810 produces and is used for the message 1812 corresponding to the mobile device 1814 of message recipient.1810 pairs of sender's message of wireless connector system 1804 carry out checking and/or encrypting messages handles 1808.The processing that can carry out a lot of types reduces the size of sender's encrypting messages such as through unwanted some or all session key of the message recipient of getting rid of corresponding mobile device.Through handling 1808, the message 1812 that is sent to mobile device 1814 is the modifications about sender's message 1804 of checking and/or encryption aspect.Mobile device 1814 comprises the storer that is used to store these pretreated message, loses or non-volatile RAM (RAS) such as being prone to.

If other mobile device is by wireless connector system 1810 identification, sender's message 1804 is by similar processing, with corresponding to the recipient that should receive sender's message 1804.Like this, the message of revising to checking and/or encryption aspect (for example encoding context) (for example 1816) is sent to other mobile device (for example 1818).

Should be appreciated that such system can change with a variety of methods, carry out by main system 1806, or let wireless connector system 1808 operate in the main system 1806 or operate on the platform that is different from main system 1806 such as allowing to handle 1808.As another example of the wide region of system change, wireless connector system 1810 can use non-redirect operation to transmit message to mobile device (for example 1814 and 1818).

Figure 19 has described the example of aftertreatment, and wherein wireless connector system 1906 receives the message 1904 that is addressed to one or more message recipients (for example 1914 and 1918) from mobile radio communication device 1902.Message 1904 is carried out checking and/or encrypting messages processing 1908.Can carry out the processing of a lot of types, such as: the slave unit signature information is removed the signature-related information indication, and the signature-related information that will in the signature-related information indication, identify appends to the message of signature.The message 1912 that is processed then sends to one or more recipients (for example 1914 and 1918) through main system 1910.

These pre-service described here and after-treatment system are run into a lot of problems, such as the difficulty of not managing to transmit to mobile device whole S/MIME message mainly due to bandwidth and the battery limitation relevant with mobile device, current system.A difficulty is that S/MIME message can not effectively send to mobile device through cordless communication network too greatly usually.If send to mobile device or receive whole S/MIME message, only possibly use the storer and the battery electric power of excess for single message from mobile device.Consideration is by the time that mobile device receives or transmission needs, and the battery electric power that storer that storage needs and processing messages exchange need manages to support direct S/MIME product concerning average commercial user, to have undesirable quality.The problem of another demonstration is the current available public key server that does not have addressable wireless network and mobile device.As a result, the use of public key cryptography operation is very difficult, and need be at the big buffer operation at mobile device place, to eliminate the needs of Public Key Infrastructure(PKI).In exchanging safety email message field; There is additional problem; Comprise: the key that (1) mobile device can not be retrieved public encryption from PKI is to encrypt the message of sending from mobile device; (2) can not retrieve about receive by the PKI of signature information, the complex mathematical computing that relates to public key encryption algorithm is carried out in very big CRL and (4) on the mobile device of slow processor time delay can not handled in (3) on the mini-plant.These problems and other problem cause relatively poor and the user's experience that baffles when the user manages to use the mobile device exchange based on the email message of S/MIME.

Pre-service described here and after-treatment system and method are handled secure e-mail message makes these message for example comprise that S/MIME message can exchange with mobile device.This system and method also influences the processor power of the main system relevant with mobile device, so that user's experience preferably can be arranged during with mobile device exchange S/MIME message.

The further example of the wide region of system and method disclosed herein has been shown in Figure 20-22.Figure 20-22 has described the additional use of this system and method in different exemplary communication system.Figure 20 is the block scheme of expression example communication system.In Figure 20, show computer system 2002, WAN 2004, the corporate lan 2006 of security firewall 2008 back, radio infrastructure 2010, wireless network 2012 and 2014, and mobile radio communication device (" mobile device ") 2016 and 2018.Corporate lan 2006 comprises message server 2020; Wireless connector system 2028; The data-carrier store 2017 that comprises a plurality of at least mailbox 2019; Has the direct communication link that arrives mobile device such as the desk side computer system 2022 and Wireless Virtual Private Network network (VPN) router two 032 that arrive interface or connector 2026 through physical connection 2024.The operation of the system among Figure 20 will be described with reference to message 2033,2034 and 2036 below.

Computer system 2002 for example can be to be arranged to above-knee, the desk-top or palmtop computer system that is connected to WAN 2004.This computer system can be connected to WAN2004 through ISP or ASP.Perhaps, computer system 2002 can be that the computer system of networking for example resembles computer system 2022 through LAN or other access to netwoks WAN2004.A lot of modern mobile devices can be connected to WAN through various infrastructure and gateway configuration, make that computer system 2002 also can be a mobile device.

Corporate lan 2006 is to be used to the example of the central authorities of radio communication based on the message system of server.Corporate lan 2006 can be called as " main system "; Because it is responsible for the data-carrier store 2017 that has the mailbox 2019 that is used for message; And be used for to send to mobile device 2016 and 2018 or the data-carrier store (not shown) of possible other of other data item of receiving from these mobile devices; With wireless connector system 2028, wireless vpn routers 2032, or realization is used for other assembly of possibility of the communication between corporate lan 2006 and one or more mobile device 2016 and 2018.With more general term, main system can be that the operation of wireless connector system moves relevant one or more computing machines on it or with the wireless connector system as stated.Corporate lan 2006 is preferred embodiments of main system, and wherein main system is to operate in to operate in after at least one security communications firewall 2008 and the server computer in the protected company network environment.Other possible central host systems comprises ISP, ASP and other service provider or mailing system.Although it is outside that desk side computer system 2024 and interface/connector 2026 can be positioned at these main systems, wireless communication operation can be similar to these that describe below.

Corporate lan 2006 uses wireless connector systems 2028 to realize assembly as relevant radio communication, and it is a software program, software application or set up the component software of doing with at least one or a plurality of message server worker normally.Wireless connector system 2028 is used for sending information that users select to one or more mobile devices 2016 and 2018 or from these mobile devices reception information through one or more wireless networks 2012 and 2014.Wireless connector system 2028 can be the separation assembly of message system shown in Figure 20, and maybe can replace with is partly or entirely to comprise into other communication system components.For example, message server 2020 can comprise realization wireless connector system 2028, its part, or the software program of some or all function, application or assembly.

The message server 2020 that operates on the computing machine of fire wall 2008 back serves as main interface; Exchange messages with the WAN2004 that typically is an internet to be used for company, for example comprise Email, calendar data, voice mail, electronic document and other personal information management (PIM) data.Concrete intermediary operation and computing machine will depend on the message-passing machine structure that exchanges messages through it and the particular type of network, and therefore not shown in Figure 20.The function of message server 2020 can expand to message and send and receive, and provides these characteristics to resemble the dynamic data library storage and is used for the data like calendar, pending event table, task list, Email and document.

Message server is generally each user who has the account on the server such as 2020 and keeps a plurality of mailbox 2019 at one or more data-carrier stores in such as 2017.Data-carrier store 2017 comprises the mailbox 2019 that is used for a plurality of (" n ") user account.By identification user, user account, mailbox or with user, account or mailbox 2019 other relevant possible addresses is that the message of message server 2020 receptions of message recipient will be typically stored in the corresponding mailbox 2019.If message is addressed to a plurality of recipients or allocation table, the duplicate of identical message can store into more than in the mailbox 2019 so.Perhaps message server 2020 can store the single duplicate of this message in the data-carrier store of all user-accessibles with the account on the message server into, and pointer or other identifier are stored in each recipient's mailbox 2019.In the exemplary message system, each user can use message client such as Microsoft Outlook or Lotus Notes (being normally operated on PC such as the desk side computer system 2022 that is connected among the LAN2006) so can visit his or her mailbox 2019 and its content.Although in Figure 20, only show a desk side computer system 2022, it will be appreciated by those skilled in the art that LAN will typically comprise much desk-top, notebook and laptop computer system.Each message client is through message server 2020 normal access mailbox 2019, although in some cases, message client is accesses data memory 2017 and the mailbox 2019 stored on it by desk side computer system 2022 directly.Message also can download to the local data memory (not shown) on the desk side computer system 2022 from data-carrier store 2017.

In corporate lan 2006, wireless connector system 2028 is with message server 2022 operations.Wireless connector system 2028 can reside on the computer system identical with message server 2022, maybe can replace with on different computer systems and realize.The software of realizing wireless connector system 2028 also can be partly or entirely and message server 2022 integrated.Wireless connector system 2028 preferably is designed to cooperation and arrives mobile device 2016,2018 with the permission information push alternately with message server 2020.In this is installed; Wireless connector system 2028 preferably is configured to through corporate firewall 2008 with through WAN2004 and wireless network 2012; One of 2014 send the information that is stored in one or more data-carrier stores relevant with corporate lan 2006 to one or more mobile devices 2016,2018.For example, the user who in data-carrier store 2017, has account and an associated mailbox 2019 also can have mobile device such as 2016.As stated, the message that is received by the message server of discerning user, account or mailbox 2,019 2020 stores corresponding mailbox 2019 into by message server 2020.If the user has mobile device such as 2016, the message that receives and store into letter box 2019 by message server 2020 is preferably detected and is sent to user's mobile device 2016 by wireless connector system 2028.The functional representation of the type " pushed information transmission technology ".Wireless connector system 2028 also replaces with some combination of employing " retract technology " (item that wherein is stored in the mailbox 2019 is sent to mobile device 2016,2018 in response to the request or the accessing operation that use mobile device to carry out) or two kinds of technology.

Thus, the use of wireless connector 2028 can make the message system that comprises message server 2020 be expanded, and makes that each user's mobile device 2016,2018 can access message server 2020 stored message.

Shown in figure 20, be similar to the system of Fig. 1, several roads are arranged through being used for from corporate lan 2006 and mobile device 2016,2018 exchange messages.A possible information transfer path is to use interface or connector 2026 to pass through physical connection 2024 such as serial port.This path possibly be that useful for example be used for aforesaid big PIM and signature-related information, data sync and private encryption or signature key transmits.In known " synchronously " type wireless messaging system, physical pathway also has been used to from the mailbox 2019 relevant with message server 2020, transmit message to mobile device 2016 and 2018.

Another method that is used for mobile device 2016,2018 exchanges data is through wireless connector system 2028 and the switched wireless of using wireless network 2012,2014.Shown in figure 20, this interface and traditional WAN radio infrastructure 2010 that can relate to wireless vpn routers 2032 or be provided to one or more wireless networks 2012,2014 is connected.Wireless vpn routers 2032 provides directly through the VPN establishment of connection of ad hoc wireless networks 2012 to wireless device 2016.The major advantage of using wireless vpn routers 2032 is that it becomes the ready-made VPN assembly that does not need wireless basis enforcement 2010.VPN connects and can use IP to go up transmission control protocol (TCP/IP) or IP to go up UDP (UDP/IP) and connect with direct pass-along message and receive message to mobile device 2016 with from this mobile device.

If wireless vpn routers 2032 is unavailable, be the normally used bindiny mechanism that can adopt by wireless connector system 2028 to the connection of the WAN2004 of internet normally so.For addressing and any interface function that other needs of handling mobile device 2016, preferably use wireless basis to implement.

In some implementations, a more than wireless messages exchange mechanism can be provided in the corporate lan 2006.In the example communication system of for example Figure 20, be configured with user-dependent mobile device 2016,2018 and operate in different wireless network 2012 and 2014, this user have with message server 2020 on the relevant mailbox 2019 of user account.If wireless network 2012 is supported the Ipv6 addressing, so wireless vpn routers 2032 can by wireless connector system 2028 use with any mobile device 2016 swap datas that operate in the wireless network 2012.Yet; Wireless network 2014 can be dissimilar wireless network; Such as the Mobitex network, in this case, information can change into through exchanging wireless connector system 2028 warps and being connected with the mobile device 2018 that operates in the wireless network 2014 of WAN 2004 and radio infrastructure 2010.

The class of operation of the system in Figure 20 is similar to the operation of above-mentioned figure.Email message 2033 sends and is addressed at least one recipient with an account and mailbox 2019 etc. and message server 2020 and mobile device 2016 or 2018 relevant data-carrier stores from computer system 2002.Yet email message 2033 plans only are used to show purpose.The exchange of other type information preferably can also be realized by wireless connector system 2028 between corporate lan 2006.

Possibly be complete unencrypted through the email message 2033 that WAN 2004 sends according to the particular message scheme of using from computer system 2002, or with the digital signature signature and/or encrypt.For example, if computer system 2002 is used to use the security message of S/MIME to transmit, email message 2003 can be signed so, encryption or both.

Email message 2033 arrives message server 2020, and it confirms email message 2033 should deposit into which mailbox 2019.As stated, user name, user account, mailbox identifier can be comprised such as the message of email message 2033 or the identifier of other type of certain accounts or associated mailbox can be mapped to by message server 2020.For email message 2033, the recipient typically uses the e-mail address corresponding to user account and mailbox thus 2019 to be identified.

Wireless connector system 2028 is preferably in case detect one or more trigger events that taken place, through wireless network 2012 or 2014 from corporate lan 2006 to user's mobile device 2016 or 2018 send or the data item that the mapping certain user selects or the part of data item.Trigger event includes but not limited to following one or more: in the activation of the screen protection program at computer system 2022 places of user networking; User's mobile device 2016 or 2018 breaks off from interface 2026, or receives from mobile device 2016 or 2018 and send to main system to begin to send the one or more message that are stored in main system.So wireless connector system 2028 can detect the reception of trigger event a such as order relevant with message server 2020, or the trigger event relevant with the computer system of one or more networkings 2022 is such as above-mentioned screen protection and disconnected event.When the accessing wirelessly that has activated mobile device 2016 or 2018 pairs of company datas at LAN 2006; For example detect the generation of trigger event for mobile device user when wireless connector system 2028, the data item of being selected by the user preferably sends to user's mobile device.In the example of email message 2033, suppose to detect a trigger event, detect arrival by wireless connector system 2028 in message server 2020 place's message 2033.This for example can be accomplished with message server 2020 relevant mailbox 2019 through supervision or poll; If or message server 2020 is Microsoft Exchange (microsoft exchange) servers; The suggestion that is provided by Microsoft messages application DLL (MAPI) synchronous (advise syncs), reception notification when new information stores mailbox 2019 into thus can be registered by wireless connector system 2028 so.

When a data item such as email message 2033 will send to mobile device 2016 or 2018, wireless connector system 2028 preferably repacked data item, like what in 2034 and 2036, indicate.The technology of repacking can similarly be used for any effective transfer path maybe can depend on specific transfer path, radio infrastructure 2010 or wireless vpn routers 2032.For example, email message 2033 preferably is compressed and encrypts, and perhaps before or after 2034 quilts are repacked, transmits with the safety that effectively is provided to mobile device 2018 thus.Compression reduces sends the bandwidth that message needs, and guarantees to send to any message of mobile device 2016 and 2018 or the confidentiality of out of Memory and encrypt.On the contrary, the message that transmits through vpn routers 2032 possibly only be compressed and not encrypt, because the VPN connection of being set up by vpn routers 2032 is inherently safe.Through the encryption at wireless connector system 2028 places, for example can be considered an off-gauge vpn tunneling or type VPN connect thus, and perhaps through vpn routers 2032, message is sent to mobile device 2016 and 2018 by safety.Use mobile device 2016 or 2018 access message never dangerous thus than using desktop computer systems 2022 visit LAN 2006 place's mailbox.

When the message of repacking 2034 or 2036 through radio infrastructure 2010 or when wireless vpn routers 2032 arrives mobile devices 2016 or 2018; Mobile device 2016 or 2018 is removed the electronic envelope of outside from the message 2034 or 2036 of repacking, and carries out the decompression and the decryption oprerations of any needs.Send and point to one or more recipients' message from mobile device 2016 or 2018 and preferably repacked, and possibly compress and encrypt and send to main system such as LAN 2006 by similar.Main system is removed electronic envelope from the message of repacking then, and if desired, compressed message is conciliate in deciphering, and routes messages to the recipient who is addressed.

Figure 21 is the block scheme of optional example communication system, and wherein radio communication is realized by the assembly relevant with the wireless network network operator.Shown in figure 21, this system comprises: computer system 2002, WAN 2004, are positioned at the corporate lan 2007 of security firewall 2008 back, network operator infrastructure 2040, wireless network 2011 and mobile device 2013 and 2015.Computer system 2002, WAN 2004, security firewall 2008, message server 2020, data-carrier store 2017, mailbox 2019 is in fact identical with the assembly of similar mark among Figure 20 with vpn routers 2035.Yet because vpn routers 2035 communicates by letter with network operator infrastructure 2040, it needs not to be the wireless vpn routers in the system of Figure 21.Network operator infrastructure 2040 realizes respectively relevant with computer system 2042 and 2052 and LAN2007 and wireless messages mobile device 2013,2015 between of configuration operation in wireless network 2011 exchanges.In LAN 2007, show a plurality of desk side computer systems 2042,2052, each has to the physical connection 2046,2056 of interface or connector 2048,2058.Wireless connector system 2044,2054 operates on each computer system 2042,2052 or with each computer system 2042,2052 and works together.

Wireless connector system 2044; 2054 are similar to above-mentioned wireless connector system 2028; Because they make data item such as email message be stored in the mailbox 2019 other and possible be stored in the data item in this locality or the network data storer; Send to one or more mobile devices 2013,2015 from LAN 2007.In Figure 21, yet network operator infrastructure 2040 provides the interface between mobile device 2013,2015 and the LAN 2007.Like above, the operation of system shown in Figure 21 will be described below with the content of email message as the example of the data item that can send to mobile device 2013,2015.

When being addressed to the one or more recipients' with the account on the message server 2020 email message 2033 by message server 2020 receptions; Message possibly be the pointer that is stored in the single duplicate of the message in central box or the data-carrier store maybe, is stored in each this recipient's the mailbox 2019.In case email message 2033 or pointer have been stored in the mailbox 2019, it preferably can use mobile device 2013 or 2015 to be visited.In the example shown in Figure 21, email message 2033 be addressed to desk side computer system 2042 and 2052 the two and mobile device thus 2013 and 2015 the two relevant mailbox 2019 in.

As what it will be appreciated by those skilled in the art that, be used in usually that communication network protocol among cable network such as LAN 2707 and/or the WAN 2004 is not suitable for or the wireless network that do not match such as the wireless network communication protocol of using in 2011.For example, the communication bandwidth of major concern, protocol overhead and network stand-by period are inessential in cable network in wireless network, and cable network typically has more high power capacity and speed than wireless network.Therefore, the direct normal access data-carrier store 2017 of mobile device 2013 and 2015.Network operator infrastructure 2040 provides the bridge between wireless network 2011 and the LAN2007.

Network operator infrastructure 2040 makes mobile device 2013; 2015 can be established to the connection of LAN 2007 through WAN2004, and for example service provider's operation of radio communication service can be provided by the network operator of wireless network 2011 or for mobile device 2013 and 2015.In based on the system that retracts; Use wireless network coupling communication plan; Best scheme safe in utilization is such as Wireless Transport Layer Security (WTLS) when information should keep secret; With the wireless network browser such as the wireless application protocol (wap) browser, mobile device 2013,2015 can be set up the communication session with network operator infrastructure 2040.The user can ask (through artificial selection or reside in preselected default in the software in the mobile device) to be stored on the LAN 2007 any or all information in the mailbox in the data-carrier store 2,017 2019 or fresh information only for example then.If there is not session to be established then, HTTP for example safe in utilization (HTTPS), network operator infrastructure 2040 is set up connection or the session with wireless connector system 2044,2054.As above-mentioned, can carry out the session between network operator infrastructure 2040 and the wireless connector system 2044,2054 through a typical WAN connection or through vpn routers 2035 (if any).When receiving from mobile device 2013; A request of 2015 and the time delay that institute's information requested transmission is got back between the equipment will be minimized; Can the configuration network operator infrastructure 2040 make communication connect with wireless connector system 2044,2054 in case be established and keep open-minded.

In the system of Figure 21, from the request of mobile device A 2013 and B 2015 with sending to wireless connector system 2044 and 2054 respectively.In case receive the information request from network operator infrastructure 2040, institute's information requested is retrieved by wireless connector system 2044,2054 from data-carrier store.For Email Information 2033; Wireless connector system 2044; 2054 typically through combining computer system 2042; The messaging clients of 2052 operations, from suitable mailbox 2019 retrieving electronic mail message 2033, wherein these computer systems are perhaps through message server 2020 or direct addressable mailbox 2019.Perhaps, can dispose wireless connector system 2044,2054 directly or through message server 2020 access mailboxes 2019 itself.In addition, other data-carrier store, be similar to data-carrier store 2017 the network data storer and with each computer system 2042; 2052 relevant local data memories can be to 2044,2054 visits of wireless connector system; So and addressable mobile device 2013,2015.

If email message 2033 is addressed to and computer system 2042 and 2052 and equipment 2013 and 2015 both relevant message server account or mailbox 2019; Email message 2033 can send to network operator infrastructure 2040 Ru 2060 and 2062 shown in so; The duplicate that sends an email message then is to each mobile device 2013 and 2015, indicates as 2064 and 2066.Information can transmit between wireless connector system 2044,2054 and network operator infrastructure 2040 through connection or the vpn routers 2035 to WAN 2004.When network operator infrastructure 2040 during with mobile device 2013,2015 communications, can be carried out translating operations through different protocol and wireless connector system 2044,2054 by network operator infrastructure 2040.Repacking technology also can use between wireless connector system 2044,2054 and the network operator infrastructure 2040 and between each mobile device 2013,2015 and the network operator infrastructure 2040.

Can obtain in a similar manner handling from message or the out of Memory that mobile device 2013,2015 sends, these information at first are sent to network operator infrastructure 2040 from mobile device 2013,2015.Network operator infrastructure 2040 can send information to wireless connector system 2044 then; 2054 so that be stored in the mailbox 2019 and for example be delivered to the recipient of any addressing through message server 2020, perhaps communicates information to the recipient of addressing alternatively.

The foregoing description of the system among Figure 21 relates to based on the operation that retracts.Wireless connector system 2044,2054 can be configured to data item is pushed to mobile device 2013 and 2015 with network operator infrastructure with being replaced.It also can be propelling movement/the retract system of a combination.For example, the column data item in the data-carrier store at the current LAN of being stored in 2007 places or the notice of new information can be pushed to mobile device 2013,2015, can be used for then through network operator infrastructure 2040 from LAN 2007 request messages or data item.

Operate in the different wireless networks if be configured with the relevant mobile device of user account on the LAN 2007, then, each wireless network can have and is similar to 2040 related radio network infrastructure component.

Although be the wireless connector system 2044,2054 that each computer system 2042,2052 shows separate private in the system of Figure 21.Preferably configurable one or more wireless connector system 2044,2054 with operate together more than a computer system 2042,2052, or visit and computer system is relevant more than one data-carrier store or mailbox 2019.For example, wireless connector system 2044 can be authorized to visit and computer system 2042 and computer system 2052 the two relevant mailbox 2019.Can handle by wireless connector system 2044 from mobile device A 2013 or B 2015 requested data item then.This configuration can be used for realizing the communication between LAN 2007 and mobile device 2013 and 2015, and need not be the desk side computer system 2042,2052 of each mobile device user operation.The wireless connector system can be replaced by with message server 2020 and realize to start radio communication.

Figure 22 is the block scheme of another optional communication system.This system comprises: computer system 2002, WAN 2004, are positioned at the corporate lan 2009 of security firewall 2008 back, access gateway 2080, data-carrier store 2082, wireless network 2084 and 2086 and mobile device 2088 and 2090.In LAN 2009, computer system 2002, WAN 2004; Security firewall 2008, message server 2020, data-carrier store 2017; Mailbox 2019; Desk side computer system 2022, physical connection 2024, interface or connector 2026 are identical with above-mentioned corresponding assembly in fact with vpn routers 2035.Access gateway 2080 and data-carrier store 2082 provide being stored in the visit of the data item among the LAN 2009 for mobile device 2088 and 2090.In Figure 22; Wireless connector system 2078 runs on the message server 2020 or with message server 2020 operations, although the wireless connector system is replaceable for running on the one or more desk side computer systems among the LAN 2009 or the one or more desk side computer systems in LAN 2009 are worked.

Wireless connector system 2078 provides the transmission to one or more mobile devices 2088,2090 of the data item that is stored on the LAN 2009.These data item preferably include; Be stored in the email message in the mailbox 2019 on the data-carrier store 2017, and be stored in data-carrier store 2017 or another network data storer or computer system such as other data item on 2022 the local data memory.

As stated, be addressed to one or more recipients of the account who has on the message server 2020 and the email message 2033 that received by message server 2020 can store in each such recipient's the mailbox 2019.In the system of Figure 22, external data memory 2082 preferably has and data-carrier store 2017 similar structures, and maintenance and data-carrier store 2017 are synchronous.The PIM information or the data that are stored in the data-carrier store 2082 preferably are independent of PIM information or the data and revisable that are stored on the main system.In this kind concrete configuration, externally the revisable information of the independence of data-carrier store 2082 can keep with user-dependent a plurality of data-carrier stores (data on the mobile device, the data in the family on the personal computer, the data on the corporate lan) synchronously.This can be accomplished through following synchronously: for example can be through sending to Updating Information of data-carrier store 2082 at a certain time interval by wireless connector system 2078; One in wherein each data-carrier store 2017 is added or changes; In the time of some of one day; Or when LAN 2009 starts; The Updating Information of data-carrier store 2082, or possibly send to Updating Information of data-carrier store 2082 through access gateway 2080 by message server 2020 or computer system 2022 by mobile device 2088,2090.Under the situation of for example email message 2033; Certain time after the reception email message 2033 sends to Updating Information of data-carrier store 2082 and can be stored in a certain mailbox 2019 in the storer 2017 by Indication message 2033, and a duplicate of email message will be stored in the corresponding storage area in the data-carrier store 2082.In the time of in email message 2033 has been stored in for example corresponding to the mailbox 2019 of mobile device 2088 and 2090; One or more duplicates of email message with 2092 and 2094 indications in Figure 22 will be sent to and store in the corresponding storage area or mailbox in the data-carrier store 2082; As what illustrate, the renewal of canned data or duplicate the connection or the vpn routers 2035 that can pass through to WAN 2004 and send to data-carrier store 2082 in data-carrier store 2017.For example, wireless connector system 2078 can drop through the HTTP request of dropping and Update Information or the resource of canned data in the data-carrier store 2082.Perhaps, can agreement safe in utilization such as HTTPS or Secure Sockets Layer(SSL).It will be appreciated by those skilled in the art that in the data-carrier store that is stored in LAN 2009 places that single duplicate more than a data item of a position can be replaced by sends to data-carrier store 2082.Then; This duplicate of data item; With the pointer or other identifier that are stored in the institute's storing data item in each relevant position in the data-carrier store 2082; Can be stored in the data-carrier store 2082 more than a corresponding position, perhaps single duplicate can be stored in the data-carrier store 2082.

Access gateway 2080 is effective access platform, because it provides the visit to data storer 2082 for mobile device 2088 and 2090.Data-carrier store 2082 can be configured to addressable resource on WAN 2082, and access gateway 2080 can be ISP system or WAP gateway, can be connected to WAN 2004 through its mobile device 2088 and 2090.WAP browser or other browser with wireless network 2084 and 2086 couplings can be used to visit and data-carrier store 2017 data in synchronization storeies 2082 then; And or automatically or in response to from mobile device 2088; 2090 request, the data item of downloaded stored.As shown in 2096 and 2098, be stored in the duplicate of email message 2033 in the data-carrier store 2017, can send to mobile device 2088 and 2090.Thus, the data-carrier store on each mobile device 2088,2090 (not showing the place) can be synchronous with a part such as the mailbox 2019 of data-carrier store 2017 on the corporate lan 2009.The variation of mobile device data-carrier store can be reflected in data-carrier store 2082 and 2017 similarly.

Claims (17)

1. one kind is sending a message to before the mobile radio communication device method that reduces the size of encrypting messages in main system, and the method comprising the steps of:

(a) receive the message of the encryption be addressed to first and second message recipients in main system from the sender of the message, the message of this encryption comprises the message body and the encrypted session key that is used for each message recipient of encryption;

(b) produce the message body comprise encryption and first of the encrypted session key that is used for first message recipient encrypting messages reduced in size in main system, said first encrypting messages reduced in size does not comprise the encrypted session key that is used for second message recipient; With

(c) transmit first encrypting messages reduced in size and arrive mobile radio communication device corresponding to said first message recipient,

Wherein, said encrypted session key is encrypted from the PKI that different company's electronics obtains through the network that is connected to through main system.

2. the method for claim 1, the step that it is characterized in that producing first encrypting messages reduced in size comprises step: remove a encrypted session key except the said encrypted session key that is used for first message recipient to form the message of first encryption reduced in size.

3. the method for claim 1, the step that it is characterized in that producing first encrypting messages reduced in size comprises step: remove all encrypted session key except the said encrypted session key that is used for first message recipient to form the message of first encryption reduced in size.

4. method as claimed in claim 3, the step that it is characterized in that producing first encrypting messages reduced in size comprises step: remove the message recipient information field that each encrypted session key is mapped to the message of message recipient.

5. the method for claim 1 is characterized in that,

Said receiving step (a) comprises step: receive the message of the encryption be addressed to a plurality of message recipients in main system from the sender of the message, the message of this encryption comprises the message body and the encrypted session key that is used for each message recipient of encryption;

This method further comprises step: determine whether that any one message recipient has a corresponding mobile radio communication device;

Said generation step (b) comprises step: for each message recipient with a respective wireless mobile device, produce the encrypting messages reduced in size that comprises the message body of encryption and only be used for the encrypted session key of message recipient; With

Said transfer step (c) comprises step: encrypting messages reduced in size is sent to mobile radio communication device.

6. method as claimed in claim 5 is characterized in that individual address is shared with corresponding mobile radio communication device by message recipient.

7. method as claimed in claim 5 it is characterized in that each encrypted session key uses the public key encryption of message recipient, and message recipient is shared PKI and related private key with corresponding mobile radio communication device.

8. the method for claim 1, the message that it is characterized in that said encryption are the message of having been signed and having encrypted then, and further comprise the digital signature of encryption; With

The step that produces the message of first encryption reduced in size comprises step: produce the message body that comprises encryption, the message of the digital signature of encryption and the encryption reduced in size of the encrypted session key that is used for first message recipient.

9. method as claimed in claim 8 is characterized in that,

The message of encrypting further comprises the signature-related information of encryption; With

The step that produces the message of first encryption reduced in size comprises step: produce the message body that comprises encryption, the digital signature of encryption, the message of the signature-related information of encryption and the encryption reduced in size of the encrypted session key that is used for first message recipient.

10. the method for claim 1 is characterized in that, the message of said encryption is safety multi-purpose way internet mail expansion (S/MIME) email message.

11. the method for claim 1; It is characterized in that; The message of said encryption is according to PGP (Pretty Good Privacy; PGP) encrypt, and wherein second encrypting messages is handled to be sent to mobile radio communication device by main system, second encrypting messages is safety multi-purpose way internet expansion (S/MIME) email message.

12. a size that reduces encrypting messages is used to be sent to the system of wireless mobile apparatus, this system comprises:

Main system is arranged to reception from the sender of the message and be addressed to the encrypting messages of message recipient, and this encrypting messages comprises encrypting messages body and the encrypted session key that is used for each message recipient; With

The wireless connector system; Be associated with main system; And be configured to and determine whether that any one message recipient has corresponding mobile radio communication device, and if, for each message recipient with respective wireless mobile communication equipment; Generation comprises message body and only is used for the encrypting messages reduced in size of the encrypted session key of message recipient; And encrypting messages reduced in size is sent to mobile radio communication device, wherein, is used for the public key encryption that at least two encrypted session key of message recipient obtain from different companies electronics through the network that is connected to through main system.

13. system as claimed in claim 12 is characterized in that said main system comprises message server system.

14. system as claimed in claim 13 is characterized in that message server system realizes in the secure network of network security fireproof wall back.

15. system as claimed in claim 12 is characterized in that said main system comprises desk side computer system or laptop computer system.

16. system as claimed in claim 12, wherein network operator infrastructure realizes the wireless messages exchange between main system and the mobile radio communication device.

17. one kind sends to before the mobile radio communication device system that reduces the size of encrypting messages in main system in message, this system comprises:

Receiving trap receives the message of the encryption be addressed to first and second message recipients in main system from the sender of the message, and the message of this encryption comprises the message body and the encrypted session key that is used for each message recipient of encryption;

Generation device; Produce the message body comprise encryption and first of the encrypted session key that is used for first message recipient encrypting messages reduced in size in main system, said first encrypting messages reduced in size does not comprise the encrypted session key that is used for second message recipient; With

Conveyer is sent to the device corresponding to the mobile radio communication device of said first message recipient with first encrypting messages reduced in size,

Wherein, the PKI that obtains from different company's electronics through the network that is connected to through main system of said encrypted session key encrypted and

Wherein different electronic security(ELSEC) message transfer schemes are used to encrypt the message that sends to main system.

Images